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we're not just 
making servers, 
we're making 
server history. 

While innovation comes rapidly in lhe >T industry, 
basic server architectures haven't changed for 
decades. That's why Cisco answered the need for 
innovation by introducing the Cisco Unified Computing 
System - which integrates compute, high-speed 
networking, storage access and virtualization in one 
system. Since its introduction. IT departments have 
dramatically reduced data center complexity while 

■ Lowering operating costs by up to 30% 

■ Reducing Microsoft deployment times ; - om weeks 
to minutes 

■ Harnessing the power of the UCS architecture for 
Microsoft Window Server and Exchange, SharePoint, 
and SQL Server deployments 

The Cisco Unified Computing System, powered by 
intelligent sntei® Xeon® processors, signals the next 
evolution ot the data center - where everything, 
and everyone, works together like never before, 

Find out more at www,cisco.com/go/microsoft 
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Deuby 

"2012 is shaping up to 
be an important year for 
System Center." 


The Evolution of Microsoft's System Center Suite 

Changes for 2012 focus on the cloud 


M icrosoft has been in the systems management 
field for a long time. The company has marketed 
a management product practically as long as it's 
had an enterprise-class OS in Windows NT, and 
its suite of products has grown both horizontally 
by management area and vertically by capabil¬ 
ity. In true Microsoft form, the company's initial forays into some 
of these areas were less mature than its competitors, but over time, 
the company has built a competitive suite of products. 

Microsoft released Systems Management Server (SMS) in 1994, 
one year after Windows NT 3.1. SMS 1.0 provided the basics of systems 
management, such as software and hardware inventory. I was in IT at 
Texas Instruments at the time and didn't work on SMS myself, but I 
remember it as extremely buggy and difficult to work with. We thought 
the SMS guy had the worst job around! However, life improved for the 
SMS guy as the product evolved to 2.0, SMS 2003, 2003 R2, and now 
System Center Configuration Manager (SCCM). As the name implies, 
SCCM handles all aspects of PC and server configuration. 

The next oldest member of the System Center family is its opera¬ 
tions management product. This product has had two incarnations; 
the product was reinvented and renamed several years ago. Micro¬ 
soft entered the operations management field in 2000 by purchasing 
the rights to Mission Critical Software's Enterprise Event Manager. 
Microsoft renamed the product Microsoft Operations Manager 
2000 (MOM—thus providing IT pros with a rich supply of jokes) 
and marketed the product through at least 2006. Around 2005 or 
so, Microsoft came up with the umbrella "System Center" name for 
its management products, and Configuration Manager and Opera¬ 
tions Manager were the first to join. The product was rewritten from 
scratch and released in 2007 as System Center Operations Manager 
(SCOM), the name and architecture it holds today. 

Data Protection Manager (DPM) was the next to join the System 
Center family in 2005; it focuses on backup and data protection. 
Service Manager, released in 2010 after a long gestation period, 
is designed to handle incident and problem resolution, as well 
as change control; it integrates information from the other Sys¬ 
tem Center products. System Center Essentials was added to the 
family in 2007 and updated in 2010 to address the needs of small- 
to-midsized businesses (SMBs); it contains some capabilities of 
Operations Manager and Configuration Manager. 

As information technologies have evolved to include new 
computing models and therefore new capabilities to manage, 
Microsoft has expanded the System Center family. For example, 
Virtual Machine Manager (VMM) was introduced in late 2007 to 


manage virtual servers. VMM 2012, currently in release candidate, 
has capabilities that have grown well beyond its name. It's designed 
to support far more than just VMs and their hosts; it's a key part of 
Microsoft's private cloud computing architecture. In addition to 
VM and host management, VMM 2012 supports virtual network 
and storage pools, private clouds, and services in those clouds. The 
next beefed-up version of VMM's self-service portal is code-named 
Concero. It's fitting that VMM is evolving into a broader scope (if not 
name); Microsoft positions server virtualization as simply another 
technology in the infrastructure, and a dedicated product to man¬ 
age it runs counter to that position. I won't be surprised if Microsoft 
simply renames the 2012 version Virtualization Manager. 

Continuing to build out Microsoft's private cloud capability, 
the newest System Center member is Opalis. Opalis joined the fold 
when Microsoft acquired Opalis Software in late 2009. The product 
is essentially the glue that integrates the various System Center 
components. It does this by providing a high degree of process 
automation between System Center (or non-Microsoft) manage¬ 
ment products so that a single event in one component triggers 
an automated workflow to other components. (Service Manager 
performs similar functions for human workflow.) This middle layer 
of automation, between resource pools below and a Concero self- 
service interface above, is required to make a private cloud work. 
For 2012, Opalis is being rebranded as Orchestrator. 

That's a lot of specialized products. Do you have to license each 
one separately? How closely do they actually work together? Accord¬ 
ing to the 58-page Windows Server, System Center, and Forefront 
Licensing Guide (http://bit.ly/s5GtQ), Microsoft offers Server Man¬ 
ager Suite licenses for Enterprise (SMSE) and Datacenter (SMSD) 
that include Configuration Manager, Operations Manager, Virtual 
Machine Manager, Data Protection Manager, and Service Manager. 
Which package you choose depends on how many VMs you typically 
host on a server. By themselves, the System Center components aren't 
especially integrated; it currently takes an Opalis license, available as 
a "grant" to SMSE and SMSD licensees, to glue them together. 

2012 is shaping up to be an important year for System Center. 
All the major components have 2012 versions in the works and are 
aimed at private cloud management. The individual products will 
interoperate more closely with one other, and Orchestrator will 
have better support for third-party management tools. ^ 

InstantDoc ID 141675 

SEAN DEUBY (sean@windowsitpro.com) is technical director for Windows 
IT Pro and SQL Server Pro, and former technical lead of Intel's core directory 
services team. He's been a directory services MVP since 2004. 
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Thurrott 

"Even a cursory examination of 
Microsoft's Community Support 
websites for the Windows 8 Developer 
Preview reveals a mounting discord." 



Windows 8 Worries 


E very month, I think I'm going to be able to move past 
Windows 8, and every month it just sucks me back in. 
The reason is simple: As a major upgrade to Microsoft's 
core product line, Windows 8 is a big deal. It's revo¬ 
lutionary and thus frightening to many users. But it's 
also taking a lot longer to complete than was originally 

expected. 

We figured that Windows 8 would come to market in less than 
a year, like its predecessor, but now that's not so certain. I had 
expected a public beta release to happen before you read this. But 
now it seems that the beta won't ship until as late as the end of 
February. Trouble in paradise? 

Windows 8 Worries Continue 

When I speak to those running the Windows Division (which I 
refuse to call by its real name, Windows and Windows Live Divi¬ 
sion) at Microsoft and to those directly responsible for the momen¬ 
tous and revolutionary change to the Metro-style user experience, 
as most obviously embodied by the new Start Screen, I'm struck by 
an amazing semblance of calm. Here they are, uprooting Windows 
more violently than ever before in the past, and yet they seem so 
darned sure of themselves. It's fairly astonishing. 

As a thinking man, however, I have my worries. Although I've 
bought into the notion of Metro-style apps, the new Windows 
Runtime (WinRT), and the Start Screen, at least on paper, there's 
this measure of doubt that something has gone terribly wrong. And 
because Microsoft has spaced the public milestones of this product 
so widely, I look for evidence to support both the accepting and 
doubting parts of my brain. 

That this spacing of milestones is a such a concern speaks, I 
think, to the enormity of the change, and also to the times in which 
it's happening. Microsoft's core business is under assault as never 
before, both by simpler computing devices—smartphones and 
tablets—and by cloud computing services, all of which are working 
in concert to make obsolete the Windows/Office/PC computing 
norm of the past and present. 

I've spent a considerable amount of time and effort—here in 
Windows IT Pro and at various websites, blogs, and podcasts— 
trying to remind people that the experience we have today with 
the pre-beta Windows 8 Developer Preview doesn't mirror how 
things will work after a collection of non-preview Metro-style apps 
become available. Today, we must run "legacy" Windows applica¬ 
tions on the Windows 8 Developer Preview, causing a jarring, back- 
and-forth experience as we move between the Metro-style Start 
Screen and these old-school desktop applications. In the future, 


this won't be an issue, or at least it won't be as much of an issue, 
but that's hard for many to imagine. They simply see the problem 
as it stands today. 

Unfortunately for Microsoft, it's the company's responsibility to 
communicate this change, and there's only so much an individual 
outside the company can do. (And sometimes I do feel like that 
lone person standing up to an onslaught of negativity, though I 
know that others associated with Windows IT Pro, such as Mark 
Minasi, are in fact also quite excited by the changes coming in 
Windows 8.) In the court of public opinion, as I write this, Micro¬ 
soft is failing. 

Even a cursory examination of the software giant's Com¬ 
munity Support websites for the Windows 8 Developer Preview 
reveals mounting discord. Some complaint posts are so long and 
so frequently commented on that they're actually locked because 
they've become too unmanageable. Finding a positive note here is 
next to impossible. And some of the criticisms are certainly valid. 

Multitasking. Because Windows 8 apps aren't typically closed 
but rather run in the background until automatically suspended, as 
with phone apps, this makes multitasking difficult. Anyone using 
Windows Flip (ALT + TAB) to tab through the list of available apps 
will run into unwanted apps they might have otherwise closed, 
making it hard to find the app required. 

Furthermore, Metro-style multitasking is functionally stunted 
compared to what's available today in Windows, with only two apps 
being allowed onscreen, side by side. Windows hasn't required 
window tiling like this since Windows 2.0 in the late 1980s. 

Touch first. "Touch first" means mouse and keyboard second. 
Microsoft argues that the Metro-style UI is "touch first" not "touch¬ 
centric," a bit of word play that's designed to undercut criticisms 
that the company is designing Windows 8 purely for a market that 
doesn't even exist yet: that of touch-based devices and PCs. 

But as critics have noted, the very notion of "touch first" means 
that other interface types—including mouse and keyboard—are 
by definition secondary. And anyone who has used the Developer 
Preview on a traditional PC will tell you that mouse and keyboard 
interactions are lackluster. I'm sure this will improve, as Micro¬ 
soft claims, but the fact remains that designing one UI for such a 
diverse array of input types is difficult. 

Full screen apps. Metro-style apps run as a full screen or, when 
supported, they can be tiled next to each other. This makes sense 
for devices such as the iPad, which has limited resources, but it's 
hard to justify on the PC, where 27-inch screens, multi-core pro¬ 
cessing, and copious amounts of RAM and storage are increasingly 
common. 
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To understand why running apps only 
as a full screen display might be a problem, 
try to spend a day in a web browser that's 
in full-screen mode (tap Fit to toggle this). 
It's almost impossible. 

ARM. Trying to get a straight answer 
out of Microsoft about its plans for ARM- 
based Windows 8 versions is a little like 
pulling teeth. We know that ARM ver¬ 
sions of Windows 8 won't be compatible 
with the thousands of x86/x64-compatible 
Windows applications that are currently 
available. And we know that ARM-based 
versions of Windows 8 will run all of the 
future, Metro-style apps. 

But will these versions supply the legacy 
desktop, or be pure, iPad-style devices 
with just the Start screen? Will developers 
be able to write new, Win32-style desk¬ 
top apps that run on both ARM and x86 
systems? 

Microsoft isn't saying. And I have to be 
honest here, the silence serves no purpose 
I can understand, beyond helping Apple 
solidify this market around its already- 
shipping, well-understood iPad. 

I've seen many more complaints, but 
you get the idea. And for each of these listed 
complaints, it's worth noting that none of 
them are colored by a misunderstanding 
of the future. That is, each assumes that we 
will in fact be running full-screen, Metro- 
style apps in the future, not legacy desktop 
applications. And still this vision of the 
future is seen as flawed. 

There might be deeper problems, how¬ 
ever. One of the issues that Microsoft has 
never adequately addressed with Windows 
is that its OS is a servant with many mas¬ 
ters. The needs of individual users vary, of 
course, but the needs of individual users 
also vary within businesses, which are 
themselves diverse and different. 

In the past, Microsoft could build into 
the OS multiple avenues for completing 
tasks, with both friendly, wizard-based 
interfaces for new users and non-discover- 
able but more efficient interfaces for power 
users. In Windows 8, this capability is gone, 
and Microsoft is left to position the Metro- 
style UI as its simple, friendly UI and the 
legacy desktop interface as its power user/ 
business interface. 

How could Microsoft possibly imply 
that its brand new UI is simple and less 
efficient? And how can it support two 
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distinctly different user experiences in the 
same product? Why not just make them 
completely different products, with differ¬ 
ent names and missions? 

These are the questions I see out there. 
These are the concerns that readers have. 
And while we wait, and wait, and wait for 
Microsoft to divulge what's changing in 
the beta, and what it plans to do going for¬ 
ward, the questioning turns to dissatisfac¬ 
tion, even among some of the company's 
strongest enthusiasts. This is a problem 
the software giant needs to address sooner 
rather than later. 

Changes in the Windows 8 Schedule 

Not helping matters is that Microsoft hasn't 
been able to keep Windows 8 to the same 
manageable schedule that it provided for 
its predecessor, Windows 7. In retrospect, 
this makes sense. Windows 7 was a minor 
update with extremely clear goals: Keep 
everything that was right about Windows 
Vista but make it faster, smaller, lighter, and 
more manageable. 

Windows 8, meanwhile, is a revolution. 
And these things take time. 

How much time? Well, my sources at 
the software giant told me originally that 
the schedule for Windows 8 would closely 
mirror that for Windows 7. We would 
receive a feature-complete prerelease ver¬ 
sion in Fall 2011, followed by a beta version 
in January, a release candidate (RC) in 
April, and the final release to manufactur¬ 
ing (RTM) in July. Windows 8 would then 
ship just in time for the baclc-to-school 
season next year. 

Since then, of course, Microsoft shipped 
a Developer Preview in September that 
quite obviously isn't feature complete. 
The beta, originally scheduled for Janu¬ 
ary, could slip to late February, according 
to sources, though there's still some hope 
this will be a feature-complete release. It's 
certain that not providing such a thing at 
such a momentous milestone would throw 
the schedule further behind. 

But assuming Microsoft is able to deliver 
a beta by February, how will that affect the 
schedule? Assuming the company can then 
return to a more typical schedule of three 
months between milestones, it's possible 
we could see an RC release in May, fol¬ 
lowed by RTM in August. That's too late for 
back to school. 

We're in IT with You 


But what if the September-to-February 
time period is more typical for the remain¬ 
der of the schedule? That would place the 
final release of Windows 8 as far out as 
December 20 J 2, with general availability 
happening in early 20 J3. 

This is exactly the schedule envisioned 
by trusted Microsoft watcher Michael 
Cherry, not coincidentally. The Directions 
on Microsoft analyst stated that he didn't 
expect to see Windows 8 PCs hit the market 
before early 20 J3, because of mounting 
delays. 

However, just in case this is actually 
starting to make sense to you, a source I do 
trust at Microsoft told me recently that the 
plan was still for Windows 8 to hit general 
availability by late August 20 J2. Could such 
a thing be possible? 

It's possible, according to my "Windows 
Weekly" podcast cohost Mary Jo Foley, who 
isn't buying all the doom and gloom for 
Windows 8. If the Windows 8 Beta really 
is feature complete, she says, getting from 
the beta to the final release won't take all 
that long. 

In fact, it will simply be a matter of fixing 
bugs, addressing some obvious user feed¬ 
back, and shipping. And she believes that 
Microsoft will be able to deliver a real RC 
version well before mid-year and ship the 
final version of Windows 8 to manufactur¬ 
ing shortly thereafter. That puts the product 
in market just in time for the crucial back- 
to-school season. 

What does all this mean to you? Frankly, 
Windows 8 is a non-starter in businesses 
for all of 20 J 2, no matter how it turns out 
and how fast Microsoft is able to get the 
product to market. 

I would spend much of the year inves¬ 
tigating this release, because it's going 
to evolve over time and will be a major 
change. But I don't see any businesses 
rolling out Windows 8 in volume before 
20 J 3 at the earliest. So continue with your 
Windows 7 plans, folks, there's nothing to 
see here. ^ 
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WINDOWS POWER TOOLS 


Minasi 

"Windows and AD retain a number 
ofwhen-you-last-logged-on-related 
attributes, but they're all 
a pain to get to." 



Use Get-ADUser to Find Inactive AD Users 

Search for people who haven't logged on to a domain in 180 days 


I n “Use Get-ADUser to Determine Who Has Never Logged 
On" (InstantDoc ID 141189), I showed you how to use 
Active Directory's (AD's) PowerShell tools to find never- 
used user accounts. At the same time, I revealed the AD 
attributes accessible from PowerShell that might give you 
an idea about who's logged on and—more important—who 
hasn't logged on in a while. This month, let's search for people who 
haven't logged on to a domain in, say, the past 180 days. 

Windows and AD retain a number of when-you-last-logged- 
on-related attributes, but they're all a pain to get to. You could 
look at account-logon events, but you'd have to grab them from 
every domain controller (DC) and sort them by date and person 
to find the most recent of those events for each person. Not fun! 
Alternatively, you could grab something like AD's lastlogon user 
attribute, but again DCs don't replicate that value. So, as in the case 
of the account-logon event, you'd have to 
retrieve lastlogon! s value from every DC 
in the domain, then find the most recent 
one for each use. That's too much work. 

Fortunately, on Windows Server 
2003 and later domain functional levels, 

Microsoft added lastlogontimestamp, an 
AD attribute that is replicated amongst 
DCs. It's stored as a fairly ugly large integer (as I write this in 
October 2011, lastlogontimestamp 1 s value is 129623232699932000) 
that isn't very easy to work with. Thus, it's a blessing that the AD 
PowerShell folks convert that into a straightforward value called 
LastLogonDate that looks like Saturday , October 08, 2011 1:07:18 
PM, accessible via Get-ADUser. 

Knowing this, you can use this command to create a table of 
users sorted by when they last logged on: 

get-aduser -f * -pr lastlogondate|sort -property 
lastlogondate|ft samaccountname,lastlogondate -auto 

Thus, you can query any DC and see whether any user last logged 
on to the domain around, say, September 22, 2011. Well, sort of. 
You see, Microsoft added lastlogontimestamp to AD because many 
AD administrators wanted some way to track logons, but Redmond 
worried that adding something to AD that closely tracked logons 
could significantly increase AD's replication burden. 

To reduce lastlogontimestamp- related replication traffic, DCs 
update the value only every 9 to 14 days. Whenever a DC logs 
you on, that DC looks at your current lastlogontimestamp value. 


The DC then picks a random real number between 9 and 14. If 
the number of days between when you last logged on and now is 
smaller than the random number, the DC doesn't update your last¬ 
logontimestamp value. As a result, each user's lastlogontimestamp 
value gets updated only once every 12 days or so—no matter how 
often that user logs on during that time period. Less precision, yes, 
but also a lot less replication traffic. 

Suppose I log on to my domain at noon on fanuary 20, 2012, 
and I haven't logged on since 9:00 a.m. on fanuary 9 of that year. 
Thus, I haven't logged on in 11.25 days. My DC then chooses a 
random number between 9 and 14. Let's assume it chooses 13.44. 
The chosen random number (13.44) is larger than the time span 
between my last two logons (11.25), so my DC doesn't change my 
lastlogontimestamp value upon this logon. Clearly, then, although 
lastlogontimestamp is useful, it might be wrong by as many as 14 
days, so it's of no use to identify who 
hasn't logged on in the past two weeks. 
(For finding those who haven't logged 
on in about six months, though, it can 
be quite useful!) 

You could try to do some gymnastics 
with Get-ADUser to find those users 
who haven't logged on in the past 180 
days, but the AD PowerShell folks saved us the effort with a cmdlet 
called search-adaccount, which lets you perform this query: 

search-adaccount -accountinactive -usersonly -timespan "195" 

That looks simple, but there are two things about this command 
that are unintuitive. First, notice the double quotes around the 
number 195: The -timespan parameter absolutely requires those. 
Second, notice that it's 195, not 180. (And remember, you don't get 
lastlogontimestamp unless you're in Windows 2003 domain func¬ 
tional level or greater.) Search-adaccount has a quirk that requires 
you to add 15 to your target period of inactivity, and in truth the 
value isn't exactly 15 days. To learn why it does that and how to 
figure out the exact value to enter—as well as an alternative syntax 
to find inactive users—please join me next month. ^ 
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Otey 

"Virtualization lays the foundation for 
the cloud by abstracting the server and 
workload from the underlying hardware." 


Private Cloud FAQs 

VMM 2012 introduces a new management layer that enables the creation 
of private clouds 


here's no doubt that cloud computing is one of the 
most significant technology shifts that has ever hit 
the IT market. However, if there's any one word that 
characterizes cloud computing, that word is confusing. 
It seems that every vendor has a different definition of 
what cloud computing means. When you throw in the 
public cloud, the private cloud, and the hybrid cloud, it's no won¬ 
der so many people are confused. In this column, I'll try to dispel 
some of that confusion as I answer 10 of the most common ques¬ 
tions about building the private cloud by using Microsoft System 
Center Virtual Machine Manager (VMM) 2012. 

O How is the private cloud different from the public 
cloud? —Cloud computing in general has come to be iden¬ 
tified by its four main attributes: pooled resources, elastic¬ 
ity, self-service, and usage-based metering. These attributes are 
found in both the public and the private cloud. In simplified terms, 
the public cloud includes resources that you lease from a cloud 
hosting provider and the private cloud consists of your on-premises 
computing resources. 

O Isn't cloud computing, and especially the private cloud, 
really just the same as virtualization? —The private cloud 
is more than virtualization. Virtualization lays the founda¬ 
tion for the cloud by abstracting the server and workload from the 
underlying hardware. However, the private cloud adds a number 
of other features, such as service-based management, the ability to 
automate operations, self-service end-user capabilities, and usage- 
based chargeback, that go beyond plain virtualization. 

O How do you build the private cloud for Windows Server 
and its applications? —To build a private cloud using the 
Microsoft stack, you need to use VMM 2012. VMM 2012 goes 
way beyond the virtual machine (VM) management functions that 
were provided by VMM 2008 or VMM 2008 R2, and it introduces a 
new management layer that enables the creation of private clouds. 

O What makes up a private cloud built with VMM 2012?— 

VMM 2012 includes several new management constructs 
that let you create a private cloud layer on top of your on¬ 
premises resources. In VMM 2012, the private cloud is made up of 
computing resources called a fabric and collections of related VMs 
and other resources known as services. Users are given access to 
the private cloud through Active Directory (AD). 


O Is a service the same thing as a VM? —No. In VMM 2012, a 
service is a higher-level concept than a VM. A service might 
contain multiple VMs. For instance, you might create a ser¬ 
vice out of a multi-tier application where one VM contains the 
front-end web server, another VM contains the application server 
and business logic, and another VM contains the back-end data¬ 
base; the service would also include the virtual network definitions. 
The service lets you manage all of these entities as a single unit. 

O What is the fabric? —In VMM 2012, the fabric essentially 
represents your local computing resources, including your 
VMs, your virtual networks, and any Storage Management 
Initiative Specification (SMI-S) compatible storage. Services are 
built by using the computing resources that comprise the fabric. 

O Can a VMM 2012 private cloud use other virtualization 
platforms besides Hyper-V?— Yes. In addition to Hyper-V 
servers, VMM 2012 can manage VMware vSphere and Citrix 
XenServer. In order to manage vSphere servers, you must have the 
VMware vCenter Server management product installed. 

O What gives the private cloud self-service capabilities?— 

The main feature that provides VMM 2012 with self-service 
capabilities is the VMM Self-Service Portal. The VMM Self- 
Service Portal is a web application that lets authorized end users 
manage their own VMs according to the policies and quotas that 
have been assigned to them. 

O When is VMM 2012 due to be released? —System Center 
Virtual Machine Manager 2012 Release Candidate is now 
available for download from the Microsoft Download 
Center at www.microsoft.com/download/en/details.aspx7kn27252. 
The final version should be available in the first half of 2012. 

Is VMM 2012 the only product that can build the private 
cloud? —No. VMM 2012 is Microsoft's answer to building 
the private cloud, but there are other private cloud solu¬ 
tions available. One of the most notable is VMware's vCloud 
Director. ^ 
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ENTERPRISE IDENTITY 



Deuby 

"Provisioning accounts in the 
cloud can currently be handled 
in a number of different ways." 


SCIM Simplifies Cloud Service Identity Provisioning 

Within the next year, this specification will affect your job as an identity 
professional 


T his month, I thought I'd update you about some impor¬ 
tant work that's going on in the arena of cloud identity 
standards. You've probably never heard of the Simple 
Cloud Identity Management (SCIM) specification, but 
within a year it will affect some of the key areas you 
work on as an identity professional. 

A Foray Into 1AM 

Before I get into the problem that SCIM is being designed to solve, I 
think a little background would be helpful. You can broadly carve up 
identity and access management (IAM)—whether it's on premises or 
in the cloud—into four categories sometimes called "the four A's." 

Authentication. The first and most obvious category is authen¬ 
tication (often abbreviated AuthN), which is the verification 
of an identity assertion (e.g., "I am Sean Deuby") by a trusted 
authority (Penton Media's Active 
Directory—AD). Authentication is by 
far the most mature of these four 
cloud identity areas, with a variety of 
available standards and technologies, 
though its cloud version is still far 
from overall maturity. 

Authorization. The second cloud 
identity category is authorization 
(AuthZ, also referred to as access 
management), which is the process 
of granting access to an identity by a 
trusted authority to specific resources. 

For example, I've been granted access 
to certain network shares on a Fort 
Collins file server by Penton's AD administrators. In the cloud 
identity world, authorization is still immature, and implementa¬ 
tions vary from one cloud service provider to another, though 
standards such as extensible Access Control Markup Language 
(XACML) are growing in acceptance. 

Audit. The third category is audit, which for the purposes of 
this article I'll define as the recording and verification of IAM- 
related activities. Auditing, at least as far as cloud services go, is 
also a relatively immature area. The Cloud Security Alliance (cloud 
securityalliance.org) has assumed ownership of the CloudAudit 
project "to provide a common interface and namespace that allows 
cloud computing providers to automate the Audit, Assertion, 


Assessment, and Assurance (A6) of their infrastructure (IaaS), 
platform (PaaS), and application (SaaS) environments and allow 
authorized consumers of their services to do likewise via an open, 
extensible and secure interface and methodology." 

Accounts. The last of the four cloud identity categories is 
accounts. An integral task of any IAM system is dealing with user 
accounts and user groups. The lifecycle of working with these 
groups is often abbreviated as CRUD: create (aka provisioning), 
read, update, and delete (aka de-provisioning). This identity area 
is more mature than audit or authorization, but it's had its share 
of growing pains. 

How do you go about provisioning accounts in the cloud? This 
can currently be handled in a number of different ways. First, you 
can simply bulk load accounts into the service provider with a 
.csv file, or otherwise manually provision them. Obviously, this 
is a function where automation is 
extremely important; not only is 
manual account provisioning not 
scalable, it's insecure. Unfortunately, 
this is the only method most service 
providers give their customers. 

A much smaller subset of service 
providers has moved beyond these 
simple methods and provides propri¬ 
etary APIs or dedicated connectors for 
provisioning (which therefore can't be 
re-used for the next service provider), 
or they support directory synchroni¬ 
zation (where the contents of an AD 
container such as an organizational 
unit—OU—are duplicated and kept in sync at the service provider). 
Avery few support IAM standards such as Security Assertion Markup 
Language (SAML) for just-in-time provisioning. There is a standard 
specifically for provisioning called Service Provisioning Markup 
Language (SPML), but the industry hasn't adopted it. 

Why Didn't SPML Work? 

It seems that one of the things that sunk SPML is that it was 
designed to be a complete solution to fit all situations, and there¬ 
fore too ponderous to easily implement for most service providers. 
As Patrick Harding of Ping Identity also mentions in his post about 
SCIM, this reminds me of why we're using Lightweight Directory 


Why is all this talk about 
provisioning methods 
important? Because as you 
begin to use cloud service 
providers, you need to 
provision, manage, and 
de-provision accounts on 
the service provider. 
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Access Protocol (LDAP) instead of DAP 
for directory access. Have you ever heard 
of DAP? Have you ever wondered why a 
directory access protocol had to be named 
“lightweight" if there wasn't something 
heavyweight in its past? 

Why is all this talk about provisioning 
methods important? Because as you begin 
to use cloud service providers, you need 
to provision, manage, and de-provision 
accounts on the service provider. Thus, you 
should know what different methods are 
available and which are superior. Once you 
understand them, you can make the pro¬ 
visioning methods that a potential cloud 
service provider supports a criterion to use 
when you're evaluating them. 

What the cloud computing world needs 
is a standard for user provisioning that 
everyone can use so that they can get on with 
their main business of providing and using 
services. It's always good for us identity types 
to be reminded that identity management 
isn't the end goal; it's only a means to an 
end. And it should be as simple, transparent 
to implement, and secure as possible. This is 
what SCIM is designed to help with. 

The best summary of SCIM comes 
from its simplecloud.info home page: 
“The [SCIM] specification is designed to 
make managing user identity in cloud- 
based applications and services easier. 
The specification suite seeks to build upon 
experience with existing schemas and 
deployments, placing specific emphasis on 
simplicity of development and integration, 
while applying existing authentication, 
authorization, and privacy models." 

Before I describe SCIM in a little more 
detail, let's get the inevitable SCIM jokes out 
of the way. First joke: Since it's about provi¬ 
sioning, SCIM is more accurately described 
as user management than identity manage¬ 
ment—but then it would be SCUM. Second 
joke: If you used “access management" or 
“attribute management," then you'd have 
SCAM. So, its creators have settled for the 
slightly less accurate, but far more palatable 
nomenclature of identity management. 

Deeper Into SCIM 

Coming from the lessons of SPML, the first 
S of SCIM is important: It's designed to be 
simple. SCIM doesn't try to cover every 
provisioning situation; rather, it just covers 
the most common use cases and as a result 


is much simpler than SPML. It can handle 
creation, update, and deletion of users and 
groups; search; XML and JSON representa¬ 
tions; and SAML binding for just-in-time 
provisioning. 

SCIM has a common user schema, so 
name-value pairs (e.g., first name, last name, 
email address) mean the same thing regard¬ 
less of which SaaS vendor you're provision¬ 
ing to, and this schema can be extended 
if necessary to handle specific identity or 
service-provider requirements. It uses a 
RESTful API, which makes it easier to inte¬ 
grate into existing cloud services. And SCIM 
has been designed to be fast for the service 
provider to implement. At the last Internet 
Identity Workshop (IIW) in October—iiw.id 
commons. net/SCIM_(Simple_Cloud_ 
Identity_Management)_(3H)—developers 
for service providers were implementing 

Ideally, identity 
management 
should be simple, 
transparent to 
implement, and 
secure. This is what 
SCIM is designed to 
help with. 

SCIM-compliant connectors with a single 
day's work. 

Unlike SPML, the industry itself has 
been developing this specification based 
on practical experience. Salesforce.com, 
Cisco, Google, Ping Identity, Technology 
Nexus, and UnboundID, among others, are 
committed to its success and are actively 
putting the polishing touches on a 1.0 ver¬ 
sion of this specification. 

It seems to me that SCIM and SPML 
represent yet another example of the 
80/20 rule: Support 80 percent of the 
provisioning use cases out there, and 
the spec will be simpler because it's the 
remaining 20 percent that requires all the 
extra complexity. If you really need that 
20 percent capability, and you can't get it 
done with a SCIM schema extension, it's 
probably OK that it needs a proprietary 
solution. 


Another driving force behind SCIM 
is the need for speed. As we all know, 
the use of cloud services—especially SaaS 
applications—is exploding. Every day that 
we move forward without a provisioning 
standard, more cloud service providers are 
forced to come up with their own proprie¬ 
tary ways of giving identity providers access 
to their services and will have to retrofit a 
standard into their service. 

SCIM's Status 

But SCIM is moving forward quickly. At the 
IIW in October, there were numerous ven¬ 
dors doing interoperability testing of SCIM 
with their services, including Salesforce 
.com, which developed a functional SCIM 
endpoint from scratch while at the work¬ 
shop. As of December 2011, the SCIM 
working group was expected to declare a 
version 1.0, and Harding (one of SCIM's key 
initiators) believed that Google Apps, Cisco 
Web ex, and Salesforce.com would all have 
working SCIM endpoints in production at 
some point in 2012. 

Is there anything you should do? You 
need to demand that your cloud service 
providers support the emerging SCIM 
specification for provisioning. It will be 
easier and cheaper for you because you 
won't need a specialized connector, and 
it will be better for the service provider 
because it can provide a standard provi¬ 
sioning interface to its customers. 

SCIM Resources 

For more information, see SCIM's home 
page (simplecloud.info). Ping Identity 
has a short SCIM tutorial (www.ping 
identity.com/resource-center/SCIM 

.cfml. Trey Drake of UnboundID has a 
My thbusters-like SCIM FAQ fwww 
.unboundid.com/blog/2Q 11/11/16/myth- 

busters-%E2%80%93-simple-cloud-identity- 
management-episode), and Chris Phillips 
of CANARIE has a nice PowerPoint over¬ 
view of SCIM fwww.slideshare.net/team 
ktown/scim-a-participants-perspective- 

internet2-macedir-briefingscimmacedir 
20110627) . W 
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Mitchell 

"The less space used for ECC, the 
more space we have available 
for storing files!" 


The Promise of Advanced Format Hard Drives 

A fundamental change to storage 


B ack in the time of the first hard drives, back when 
wild mainframes still roamed the world, a stan¬ 
dard sector size materialized into being. That size 
was 512 bytes. In a sector editor, that single sector 
looked like Figure 1. The 512-byte sector remained 
relatively unchanged until just a couple years ago, 
when some drives hit the marketplace with a new sector size 
of 4,096 bytes. These drives are affectionately referred to as 
4K sector drives or simply 4K drives. The industry has chosen 
the term for this new media as advanced format. Here's how 
these new drives are poised to fundamentally change the stor¬ 
age industry. 

Why the Change? 

There are a couple reasons for this increase in sector size. A minor 
reason would be because of drive size. Hard drives that are 2TB 
in size are becoming pretty common. And with a 512-byte sector 
size, we start to see some of the limitations of how large a single 
drive can be, using the old Master Boot Record (MBR) style of 
partitioning. But this isn't a large concern, because the industry 
is moving more toward using GUID Partition Table (GPT) disks 
rather than MBR style disks. I authored a couple of blog entries 
that covered GPT versus MBR in more detail: "Understanding 
the 2 TB Limit in Windows Storage" (blogs.technet.com/askcore/ 
archive/2010/02/18/understanding-the-2-tb-limit-in-windows- 

storage.aspx) and "GPT in Windows" fblogs.technet.com/b/ 
askcore/archive/2010/10/08/gpt-in-windows, aspx). 

However, as I previously stated, drive size is a minor concern. 
The real concern is the juggling act between areal density, Error 
Correcting Code (ECC), and signal-to-noise ratio (SNR). 

• Areal density (aka bit density) is the amount of data that can 
be stuffed into an area of a disk. The more data stored, the 
higher the areal density. The downside to higher areal density 
is that it adversely affects SNR. 

• ECC is special code saved to the media that exists outside the 
sectors that are exposed for file storage. 

• SNR is a ratio of valid data transfer against invalid transfer or 
noise. The lower the ratio, the more drive space must be given 
up to ECC. 

You should be able to see the juggling act now. If drive manufactur¬ 
ers increase areal density, SNR decreases, so more ECC is neces¬ 
sary to help maintain decent error rates, thus reducing the media's 
space efficiency. Eventually we reach a point at which any gain 
made in areal density is almost completely lost to additional ECC. 


Enter the 4K Drive! 

The older 512-byte sector drives actually lose quite a bit of space 
just to storing ECC for each individual sector. So, the idea is that 
if we have larger sectors with better optimized ECC, the amount 
of space used in error correction would be greatly reduced, and 
at the same time a drive's ability to detect errors in an individual 
sector would be improved. The returned space can then be used 
for file storage instead. By moving to drives with 4K sectors, we 
increase areal density. The ECC used for a single 4KB sector is 
significantly less than it would be for eight 512-byte sectors. And 
the less space used for ECC, the more space we have available for 
storing files! 

Two Types of 4K Drives 

There are two types of 4K sector drives. The first and most popular 
type is the 512-byte sector emulation drive (512e). Although under 
the hood it's actually a 4K sector drive, it emulates a 512-byte sector 
drive by presenting two different sector sizes to the OS. It presents 
a 512-byte logical sector to use as the unit of addressing, and it 
presents a 4K physical sector to use as the unit of atomicity. 



Figure 1:512-byte sector 0 (zero) on physical drive 0 (zero) in Disk Probe 


Table 1: Determining the Type of Drive You Have 
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The second type is the 4K Native drive, 
which is harder to find but has been seen 
with some USB-based hard drives over 
2TB in size—probably because hardware 
vendors are holding off until the industry 
has had more time to prepare for them. 
No sense in providing the next new thing if 
only a few people can use it! The 4K Native 
drives don't have this emulation, and both 
the logical and physical sector size is 4K. 

To verify what type of disk you have, do 
the following: 

1. Install the appropriate update. 

(You can find the appropriate links under 
"Supportability Issues" later in this article.) 

2. Run the following command from 
an elevated command prompt (where x is 
the drive you're checking): 

fsutil fsinfo ntfsinfo x: 

3. Use Table l's values for Bytes per 
Sector and Bytes per Physical Sector to 
determine the type of drive you have. 

There's another way to check whether 
you have a 4I< drive, but this method will 
discover only whether your drive is 4K 
Native or 512 Native. Run msinfo32 from 
Start/Run, and under Components select 
Storage, then Disks. You'll see 4096 in the 
Bytes/Sector section that Figure 2 shows. 

What About NTFS? 

The new 4K sector size at the physical disk 
level actually lends itself well to the way 
NTFS works. The unit that NTFS works with 
is referred to as a cluster or allocation unit. 
The default cluster size for NTFS is already 
4K. Most volumes out there are already 
using a cluster size that's equal to the new 
hard disk sector size. The index blocks used 
by NTFS are 4K, as well. 

www.windowsitpro.com 


Once the 4K Native drives start hav¬ 
ing more of a presence, NTFS will greatly 
benefit from the change. Currently, NTFS 
file records are only IK in size. On 4K 
Native drives, these files records will also 
increase to 4K in size. This means that files 
with a greater complexity (fragmentation) 
will have a greatly reduced chance of hit¬ 
ting certain file system limitations, such 
as the fragmentation limit and practical 
file-size limitations for compressed and 
sparse files. You can find more informa¬ 
tion about the effect of advanced format 
drives on NTFS in the blog post "NTFS 
and 4K Disks" (blogs.msdn.com/b/nt 
debugging/ archive/2011/06/28/ntfs-and- 

4K-disks.aspx). 

Supportability Issues 

Although it's truly an exciting time for those 
of us interested in storage, you can't have 
a change of this magnitude without prob¬ 
lems. Sector size has been the same for so 
long that the software industry has come 
to depend on it. Programmers have relied 
on a constant sector size for decades. From 
the Windows side, there are a number of 
gotchas we need to know about before 
making the jump to 4K drives. (Note that 
the hotfixes listed in this section apply 
to 512e drives only. There's currently no 
down-level support for 4K Native disks on 
any released version of Windows.) 

Windows XP/2003/2003 R2. Microsoft 
doesn't support advanced format drives 
with deployments on Windows XP, Win¬ 
dows 2003, and Windows 2003 R2. So, sup¬ 
port must come from the disk provider. The 
decision was made not to spend cycles on 
older versions that were released before the 
first rumblings of these new drives. 

Windows Vista/Server 2008. There 
are a few issues that have already been 
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identified and fixed in Windows Vista 
and Windows Server 2008. These fixes are 
included in a single rollup update, "A hotfix 
rollup that improves Windows Vista and 
Windows Server 2008 compatibility with 
Advanced Format disks" (supportmicrosoft 
.com/kb/2553708). 

Windows 7/Server 2008 R2. Win¬ 
dows 7 and Server 2008 R2 also need to be 
patched to work best with advanced format 
drives. See "An update that improves the 
compatibility of Windows 7 and Windows 
Server 2008 R2 with Advanced Format 
Disks is available" (support.microsoft.com/ 
kb/982018). 

Hyper-V when hosting VHDs. Because 
of the 512-byte writes used with VHD files, 
reduced performance can result from host¬ 
ing the VHD files on 512e drives. This is due 
to extra steps added when 1/O is performed 
using a process called Read-Modify-Write. 
What happens is that for every 512-byte 
sector changed by the child system, the 
parent must read in the 4,096-byte sec¬ 
tor that contains the 512-byte sector in 
question, make the change, then write 
the 4,096-byte sector back to disk. If the 
child needs to make 10 changes, this pro¬ 
cess will occur 10 times. In this situation, 
Hyper-V is completely incompatible with 
4K Native drives. See the Microsoft article 
"Using Hyper-V with large sector drives 
on Windows Server 2008 and Windows 
Server 2008 R2" (support.microsoft.com/ 
kb/2515143). 

Microsoft SQL Server. SQL Server will 
query the drive to find out sector size. If the 
drive is 512e, the response will be that the 
sectors are 512 bytes. So SQL Server will do 
all its I/O in 512 bytes. This results in the 
same Read-Modify-Write process being 
triggered. This is described in greater detail 
in the blog post "SQL Server - New Drives 
Use 4K Sector Size" (blogs.msdn.eom/b/ 
psssql/archive/2011/01/13/sql-server-new- 

drives-use-4K-sector-size.aspx). 

Windows Home Server. Although the 
latest version of Windows Home Server 
supports 512e drives, the older version 
doesn't. According to Microsoft, "It is 
important to note that some hard disk 
manufacturers are releasing advanced for¬ 
mat drives in the same base models as 
traditional 512-byte sector drives. Because 
of this, it is critical that you make sure that 
the drive you are purchasing is not an 
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advanced format drive if you are running 
Windows Home Server vl." Unfortunately, 
it isn't always easy to determine whether a 
drive is using advanced format until you've 
already purchased the drive. It's often nec¬ 
essary to do some online research to make 
sure you know what you're getting. 

Microsoft Exchange Server. Exchange 
also has some specific rules about 4K drive 
use. For example, if you plan on using 4K 
drives, it is an "all or none" situation. Either 
all your databases are on 4K drives, or none 
of them are. Don't mix and match. Also, 
the use of 4K Native drives isn't supported. 
Only 512e drives are supported, and even 
then only with Exchange 2010 SP1 or bet¬ 
ter. You can find a full list of the rules for 
Exchange in the TechNet article "Under¬ 
standing Storage Configuration: Exchange 
2010 SP1" ftechnet.microsoft.com/en-us/ 
library/ee832792.aspx#Phys). 

Worried About Supportability? 

Microsoft's supportability stance is detailed 
in the article "Information about Microsoft 


support policy for large-sector drives 
in Windows" fsupport.microsoft.com/ 
kb/2510009). The article not only outlines 
the supportability of 512e drives but also 
provides deeper information about some 
of the issues we've discovered as well as 
links to workarounds and fixes. As new 
issues are discovered, Microsoft will add 
them to this article. 

Keep in mind that even if you've 
updated Windows to support 512e drives, 
you still have to be using hardware that 
supports their use. Otherwise you might 
not see the drive correctly. If the controller 
or enclosure you're using with the drive 
fails to understand the new hardware, it will 
misreport the drive layout to Windows. 

Repercussions 

This is a huge change to the way we store 
data. And I don't think we're going to know 
everything it's going to affect until the 
public starts using these drives. That being 
said, I'm fairly sure that it will affect things 
like data recovery, computer forensics, 


backup software, and disk utilities—as well 
as OSs. Doing a bit of research beforehand 
can help you determine whether the time 
is right to make the jump to advanced 
format drives. 

Other resources that help explain these 
drives' interaction with Microsoft products 
are "512-byte Emulation (512e) Disk Com¬ 
patibility Update," at msdn.microsoft.com/ 
en-us/library/hhl82553.aspx, and "Under¬ 
standing the Impact of Large Sector Media 
for IT Pros," at technet.microsoft.com/ 
en-us/library/hhl47334(WS.10).aspx. The 
latter article has some great quick-refer¬ 
ence tables and an in-depth description 
of the Read-Modify-Write process that I 
mentioned earlier. ^ 
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Use PowerShell to Bulk Replace 
Logon Scripts for AD Users 

I had to change the logon script for a 
select group of users who had a particu¬ 
lar logon script configured in their 
Active Directory (AD) profiles. I 
discovered that this task is easy 
to accomplish using Quest 
Software's ActiveRoles Manage¬ 
ment Shell for Active Directory, 
which provides a free a set of 
cmdlets for AD. You just need to 
use the Get-QADUser cmdlet with 
the -LogonScript argument to list all users 
configured with the old script, then pipe 
the results to the Set-QADUser cmdlet 
with the -LogonScript argument to replace 
the old logon script with the new one. The 
command looks like 

Get-QADUser -LogonScript OldFile | 
Set-QADUser -LogonScript NewFile 

where OldFile is the old logon script and 
NewFile is the new logon script. You can 
download the free ActiveRoles cmdlets at 
www.quest.com/powershell/activeroles- 

server.aspx. 

—Kaare Moe, 

IT advisor, The Norwegian Medical Association 

InstantDoc ID 141439 

A Mini-Treatise on Storage 
Device Identifiers in NTFS 

I recently visited a local computer system 
builder that I've worked with for more 
than 20 years. The owner (I'll refer to him 
as Bob) was assisting another consultant 
on a malware problem and assisting me 
with a disk warranty replacement. We had 
our usual friendly discussion, going back 
and forth across the bench. This time the 
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chat was about disk identifiers. Bob said 
that you can't change the drive's serial 
number. I disagreed and mentioned that 
you can. Because there was no immediate 
need for further discussion on the 
subject, we just proceeded hap¬ 
pily with our professional talk 
and the tasks at hand. 

A couple weeks later I had a 
physical-to-physical project in 
which the disk identifier subject 
came up again. To complete the 
project, I had to review the 
technical aspects one more 
time. When I was doing some research on 
the Internet, I found that the terms disk 
signature, signature, disk ID, volume ID, file 
system label, drive serial number, volume 
serial number, and disk unique ID were used 
one way by some authors and other ways 
by other authors. 

I therefore came up with my own mini¬ 
treatise on storage identifiers in NTFS. 
Here, I'll define these identifiers in terms 
of a single physical identifier and multiple 
logical identifiers. In this discussion, the 
term disk will mean any physical or logical 
storage container that holds either parti¬ 
tions or volumes, such as a hard disk, 

USB disk, solid state disk (SSD), 

Virtual Hard Disk (VHD), or Virtual 
Machine Disk (VMDK). 

If Bob was referring to the 
manufacturer's serial number 
(as printed on the outside label 
of a disk) in our discussion about 
disk identifiers, he was absolutely 
correct.The manufacturer's serial 
number is an alphanumeric identifier 
that's burned into the drive's electronics 
and can't be changed (as far as I can deter¬ 
mine). To see this number, you can look at 


Tell the IT community about the free tools you use, your solutions to problems, 
or the discoveries you've made. Email your contributions to r2r@windowsitpro.com. 
If we print your submission, you'll get $ 100. 

Submissions and listings are available online at www.windowsitpro.com. 

Enter the InstantDoc ID in the Search box. 


the drive's exterior label or use a free Desk¬ 
top Management Interface (DMI) software 
utility, such as Hiyohiyo's CrystalDMI 
(crystalmark.info/software/CrystalDMI/ 

index-e.html), Belarc's Belarc Advisor 
(belarc.com/free_download.html), or 

Topala Software Solutions'System 
Information for Windows (qtopala.com) . 
Motherboard manufacturers such as HP 
and Toshiba also supply DMI utilities. 

I propose that we refer to the physical 
identifier as the physical device serial num¬ 
ber. To the best of my knowledge, it's used 
only for manufacturing, quality control, 
distribution, and warranty purposes. 

The logical identifier is what I was 
thinking about during my discussion with 
Bob. All logical identifiers can be changed 
under controlled conditions. The logical 
identifiers can be broken into two types: 
disk IDs and container IDs. 

Disk signature, signature, disk ID, drive 
serial number, UniquelD, and disk unique ID 
all refer to the same logical identifier that's 
stored in a disk's Master Boot Record (MBR). 
I propose that we refer to this identifier 
as the disk ID because that's how it's dis¬ 
played by Windows'Diskpart utility. 

The disk ID is located on the physical 
diskin Sector 0(i.e.,the512-byte 
MBR) at offset 0x01 B8. It's created 
i by Windows (or another OS) 

I when a new disk is seen by the 
I OS for the first time. This is some- 
* times referred to as the "initialize" 
phase of provisioning a disk (not 
to be confused with the par- 
| titioning and formatting 
operations that follow initialization). 

The disk ID in the MBR is a unique 
4-byte identifier (i.e., an eight-digit 
alphanumeric identifier without spaces or 
dashes) that can't be changed by creat¬ 
ing, deleting, or formatting partitions or 
volumes. In Windows Vista and later, you 
can use the Diskpart utility (which was 
introduced in Windows Server 2003 SP1) 
to find out the disk ID. 
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1. In a Command Prompt window, 
type diskpart and press Enter. 

2. In the diskpart.exe window that 
appears, type list disk and press Enter. Write 
down the number of the disk for which 
you want to see the ID. 

3. Type select disk #, where # is the 
number you wrote down in step 2. Press 
Enter. 

4. Type detail disk and press Enter. The 
information that appears will include the 
disk ID. Alternatively, you can type uniqueid 
disk and press Enter to retrieve the disk ID. 

5. Type exit and press Enter to end the 
Diskpart session. 

Note that if you attach a new disk fresh 
out of the wrapper (or secure erase a used 
disk) and perform steps 1 through 4, the 
disk ID will be 00000000. The eight zeros 
tell you that the disk has never been ini¬ 
tialized. If you then initialize the disk and 
repeat steps 1 through 4, you'll see that 
Windows created a unique alphanumeric 
disk ID, such as A1 B2 C3 D4. Interestingly, 
the disk ID will be laid out in the opposite 
direction—D4 C3 B2 A1—on the physical 
disk. To avoid getting into a long discus¬ 
sion about endianness, I'll simply refer to 
this as being in "reverse sequence." 

In Vista and later, you can also use 
the Microsoft Product Support Reports 
utility (www.microsoft.com/download/en/ 
details.asox?id=24745) to see the disk ID. 
After you run the utility, find the dmdiag 
.log or diskmap.txt file in the General 
folder. The disk ID will be listed as the 
signature. Note that in the dmdiaglog file, 
the disk ID is prefixed with Ox. 

In Windows XP, you can use the 
dmdiag.exe utility to see the disk ID. It will 
be listed as the signature in the "Partition 
Table Info Disk#"section. 

According to a Microsoft Customer 
Service and Support (CSS) representative, 
Windows uses the disk ID as an index to 
store and retrieve information about the 
disk. For example, in the HKLM\SYSTEM\ 
Mounted Devices registry subkey, the 
disk ID appears as REG_BINARY data 
in the \DosDev\ces\<DriveLetter> and 
\\? ?\Vo I u m e{ <xxxxxx-xxxx-xxxx-xxxx- 
xxxxxxxxxxxx>} entries because Windows 
uses the disk ID to store and retrieve 
information about persistent drive letter 
mappings and mount points. 


In addition, the disk ID is used in RAID 
arrays (see technet.microsoft.com/en-us/ 
Iibrary/cc771775.aspx) and Windows 
clustering (see support.microsoft.com/ 
kb/883286/e). It's also used to enumerate 
physical disks in Vista and later. If you look 
in the Identifier entry under the HKLM\ 
HARDWARE\DESCRIPTION\System\ 

Multi functionAdapte r\0\D i s kCo n t r o 11 e r\0\ 
D i s kPe r i p h e ra I\< Windo wsDiskManagemen t 
DiskNumber> subkey, you'll see the disk ID 
embedded in the REG_SZ data. 

The disk ID can be changed if neces¬ 
sary to support cloning situations (e.g., 
you want to reuse the old disk in the same 
storage system as the newly cloned disk). 
You can use the Diskpart utility to change 
the disk ID by following the instructions 
given previously. However, instead of 
typing disk detail or uniqueid disk in step 4, 
you'd type uniqueid disk id-xxxxxxxx, 
wherexxxxxxxx is the new disk ID. Be 
aware that you can lose data or render 
your OS unbootable by tampering with 
the disk ID. 

After a disk has been initialized, you 
can create partitions or volumes, which 
will also have identifiers. Before I discuss 
those identifiers, though, you need to 
know about some confusing terminology 
in the Microsoft Management Console 
(MMC) Disk Management snap-in (disk 
mgmt.msc). 

If you create a partition on a disk, the 
diskis labeled asa"basic"diskin the Disk 
Management snap-in. According to the 
Help file for Windows 7's Disk Manage¬ 
ment snap-in, "Basic disks have been 
supported in operating systems since 
MS-DOS, while dynamic disks have been 
supported in operating systems since 
Windows 2000." Incidentally, converting 
a basic disk to a dynamic disk doesn't 
change its disk ID. For more informa¬ 
tion about basic and dynamic disks, go 
to msdn.microsoft.com/en-us/library/ 
aa363785(v=vs.85).aspx. 

Another dose of confusing termi¬ 
nology is introduced in Vista and later. 

If you're using XP's Disk Management 
snap-in to create a partition on a disk and 
you right-click somewhere in the space 
marked as Unallocated, you'll see the New 
Partition option. But if you're using Vista's 
or Windows 7's Disk Management snap- 
in, you'll see the New Simple/Spanned/ 


Striped/Mirrored/RAID5 Volume option. 
Note the word Volume. Volumes aren't 
partitions. Rather, partitions on basic disks 
hold nondynamic volumes. With that said, 
if you choose "New Simple Volume,"you'll 
actually get a basic disk with a partition. If 
you format that new partition, you'll create 
a nondynamic volume. 

I'll hazard a guess that even though 
it's not technically correct, Microsoft 
chose to use the word volume instead of 
partition in the container creation process 
to shield users from the concept that par¬ 
titions hold volumes. Perhaps Microsoft 
did so thinking that most users care only 
about creating volumes and don't care 
about the underlying partitions. But IT 
technicians should care about traditional 
partitions on basic disks because of 
the need to properly align partitions to 
maximize the performance of software 
such as Microsoft Exchange Server and 
SQL Server. 

There are three types of container IDs: 
partition IDs, volume labels, and volume 
IDs. Note that converting a basic disk to 
a dynamic disk changes the partition 
IDs but doesn't change volume labels or 
volume IDs. 

Partition IDs. A partition ID consists of 
four 16-byte entries in the disk's MBR.The 
information is located on the physical disk 
in Sector 0 at offset 0x01 BE. Unlike disk 
IDs, partition IDs aren't assigned cryptic 
alphanumeric identifiers by Windows. If 
you use the Diskpart utility's detail partition 
command, you'll see that the first partition 
is identified as Partition 1, the second 
partition is identified as Partition 2, and so 
on. Interestingly, dmdiag.exe, dmdiag.log, 
and diskmap.txt identify the first partition 
as PartitionO, the second partition as Parti- 
tionl, and so on. 

Volume labels. A volume label, which 
is also known as a file system label, is an 
optional alphanumeric identifier stored in 
the NTFS metafile $Volume. When you're 
formatting a disk, Windows suggests 
the name "New Volume," but you can 
customize it. After the volume is created, 
you can also change the volume label 
with no adverse effects. In XP and later, 
you can change it by right-clicking the 
disk, selecting Properties, and entering 
the new name (up to 32 alphanumeric 
characters) on the General tab. You can 
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also change the Volume Label from a 
Command Prompt window by running a 
command such as 

LABEL Q: IamDiskQ 

Volume IDs. Volume identifier, 
VolumelD, and volume serial number all 
refer to the volume ID. A volume and its 
volume ID are created when you format 
a basic disk partition or create a dynamic 
disk volume. A volume ID is sometimes 
required for decoding content (see 
en.wikipedia.orq/wiki/Advanced_Access_ 

Content_System) and is thus employed as 
a weak form of copy protection. It's also 
used in Windows Activation in conjunc¬ 
tion with the disk ID. 

The Diskpart utility's list volume com¬ 
mand enumerates all the volumes on a disk, 
identifying the first volume as Volume 0, 
the second volume as Volume 1, and so on. 
Although you can't see them in the list vol¬ 
ume command's results, the volumes also 


have unique nine-character alphanumeric 
identifiers. 

To see a volume ID in Windows OSs, 
you must first assign a drive letter to the 
disk using the Disk Management snap-in. 
(Right-click the volume, select Change 
Drive Letters and Paths, then choose Add.) 
Once that's done, there are several ways 
you can view the volume ID: 

• In a Command Prompt window, type 
VOL and press Enter. It'll be listed as the 
Volume Serial Number and look like 
B633-B4C8, for example. Note the hyphen 
that Windows uses in the volume ID. 

• Use a disk editor to view the logical disk. 
You'll find the volume ID in Sector 0 

at offset 0x048 in reverse sequence 
compared with the way it's listed in the 
VOL command's results. In addition, 
there won't be a hyphen. So, for this 
example, it looks like C8 B4 33 B6. 

• Use a disk editor to view the physical 
disk. You'll find the volume ID in 
Sector 63 at offset 0x7E48. Once again, 


it'll be in reverse sequence and without 
a hyphen (e.g., C8 B4 33 B6). 

The Diskpart utility doesn't provide a 
way to change the volume ID. However, 
Mark Russinovich's free VolumelD utility 
(technet.microsoft.com/en-us/sysinternals/ 
bb897436) provides this functionality 
for FAT and NTFS volumes. However, it's 
important to note that tampering with the 
volume ID can render your OS unbootable. 

I hope that this mini-treatise on stor¬ 
age identifiers has helped resolve any 
confusion you might have had about 
the terms signature, disk ID, volume ID, 
drive serial number, volume serial number, 
or disk unique ID. If you'd like to learn 
more about the systems and technolo¬ 
gies behind these terms, check out the 
resources listed in the online Learning 
Path (www.windowsitpro.com, InstantDoc 
ID 141438). 

—Bret A. Bennett, IT consultant 

InstantDoc ID 141438 
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ANSWERS TO YOUR QUESTIONS 



Q: What tasks can I use keyboard 
shortcuts for in Microsoft Outlook? 

A! Windows has a long list of keyboard 
shortcuts to increase user efficiency and 
provide alternative input mechanisms for 
basic program functionality. Like most 
major applications, Microsoft Outlook uses 
Windows keyboard shortcuts for specific 
Outlook functionality and interface manip¬ 
ulation. Microsoft has literally hundreds of 
keyboard shortcuts for Outlook. 

Many of the shortcuts are navigational, 
such as moving between or jumping to a 
specific folder (e.g., Ctrl+1 for Mail, Ctrl+2 
for Calendar). One keyboard shortcut that 
has always been mildly confusing to me 
is the one to initiate a Send and Receive in 
Outlook. I consider the Send and Receive 
command a form of refresh for email 
folders. In many Microsoft applications, F5 
is commonly used to refresh the current 
interface and its rendered content. But in 
Outlook, F9 has always been the shortcut 
key to launch a manual Send and Receive 
request. Here are a few keyboard shortcuts 
I use in Outlook that aren't as common as, 
say, Alt+S to send a message or Ctrl+N to 
create a new item. 

Wherever you are in Outlook, you 
can easily launch the New Search Folder 


window by selecting Ctrl+Shift+P. I prefer 
keyboard shortcuts I can select with one 
hand, such as Ctrl+C to copy and Ctrl+V to 
paste. I use very few that need three keys 
and both hands; however, I use search 
folders a lot and this keyboard shortcut is 
one I favor. 

When you're within the Calendar 
view in Outlook, the interface offers Day, 
Work Week (in Outlook 2010), Week, 
and Month views of the calendar. You 
can also get a 10-day view with a simple 
keyboard shortcut. With a day selected in 
the Outlook calendar, it's a simple Alt+0 
to render a 10-day view starting with the 
day that was highlighted. In fact, you can 
view any number of days from 1 through 
10 by using Alt plus the number of days 
you want to see. For example, Alt+8 shows 
a view of 8 days in your Outlook Calen¬ 
dar. If you're displaying multiple calen¬ 
dars, this setting applies to all of them 
simultaneously. 

If you code simple macros or work in 
Visual Basic for Applications through Out¬ 
look, you probably use Alt+F11 to launch 
the Visual Basic Editor within Outlook. 

The Visual Basic Editor opens up to the 
same file (if any, and if available) that was 
accessed when it was last closed. 

Microsoft publishes a formal list of 
keyboard shortcuts for different versions 
of Outlook. You can expand the categories 
of shortcuts and print their pages for a 
complete reference. 

• Keyboard shortcuts for Outlook 2003 

(office.microsoft.com/en-ab/outlook- 

help/kevboard-shortcuts-HP003084223 

.a sox) 

• Keyboard shortcuts for Outlook 

2007 (office.microsoft.com/en-qb/ 



Q: Can I use Windows Server 2008 
R2, Windows Server 2008, and 
Windows Server 2003 R2 instances 
in a single DFS Replication set? 

A: Yes, you can have a mix of Windows 
Server 2003, Windows Server 2008, and 
Windows Server 2008 R2 in a single 
DFSR set. However, you need to apply a 
hotfix to the Windows 2003 R2 boxes to 
ensure proper functioning. Find this hot¬ 
fix at the Microsoft support article "DFSR 
fails from a computer that is running 
Windows Server 2008 R2 to a computer 
that is running Windows Server 2003 R2" 
(support.microsoft.com/kb/2462352). 

—John Savill 
InstantDoc ID 141444 

outlook-help/keyboard-shortcuts-for- 
outlook-HPOOl 230396.aspx) 

• Keyboard shortcuts for Outlook 2010 
(office.microsoft.com/en-qb/outlook- 

help/keyboard-shortcuts-for-microsoft- 

outlook-2010-HP010354403.aspx) 

—William Lefkovics 
InstantDoc ID 141448 

Q: How can I enable Windows Aero 
Redirection on a Citrix XenDesktop 
virtual machine? 

At The Windows Aero interface offers a 
richer user experience for users connect¬ 
ing to Citrix XenDesktop virtual machines 
(VMs). Aero Redirection is disabled by 
default in XenDesktop. To enable it, 
expand the HDX Policy node in Citrix 
Desktop Studio and click Users. Under 
ICA Options, select Desktop Ul, and in the 
Settings area, select Aero Redirection to 
enable or disable its features. 

Be cautious and monitor your network 
usage before you enable Aero Redirection. 
Turning on this feature can increase the 
amount of data that must pass between 
server and client to support each user 
session. 

—Greg Shields 

InstantDoc ID 141514 
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Figure 1: System Center Data Access Service properties 


Q: How can I check what account 
I previously configured when I 
installed the beta of System Center 
Operations Manager 2012, so I can 
use the same account for the RC 
upgrade? 

A: First, if you're upgrading from the beta 
of System Center Operations Manager 
2012 (SCOM 2012) to the release candi¬ 
date (RC), make sure you download the RC 
documentation and follow the deploy¬ 
ment guide for the steps to perform the 
upgrade. 

For the Data Access Service account, 
the best practice is not to use Local System 
for the Operations Manager services but 
instead to use a domain account. To check 
what account you previously configured 
when you installed the beta, launch 
services.msc and look at the properties of 
System Center Data Access Service (see 
Figure 1). Check the Log On tab, which 
displays the account you currently have 
configured for the beta, so you can use the 
same account during the RC upgrade. 

—John Savill 
InstantDoc ID 141611 

Q: How does the Microsoft Security 
Compliance Manager compare to 
other Microsoft security 
management tools? 

A: Microsoft offers many free security 
tools. I've written about the Microsoft 
Security Compliance Manager (SCM) 


separately, but 
there are some 
others you might 
want to know 
about, such as the 
Microsoft Baseline 
Security Analyzer 
(MBSA), security 
templates, and the 
Security Configura¬ 
tion Wizard (SCW). 

MBSA is a tool 
you can use to scan 
local or remote 
Windows comput¬ 
ers for a fixed and 
limited amount of 
general security 
information, 
such as the presence of weak passwords, 
administrative vulnerabilities, and the 
status of security patches. MBSA's biggest 
shortcoming is its lack of customization: 
You can't add your own security scans to 
an MBSA run, and you can't create different 
MBSA scans for different machine types or 
roles. The latest version, MBSA 2.2, includes 
support for Windows 7 and Windows 
Server 2008 R2 machines. 

Security templates are the oldest 
Microsoft security management tool; 
Microsoft first included them in Windows NT. 
Administrators can use security templates 
to configure the security-related settings 
of their Windows machines and deploy 
them by using Group Policy Object (GPO) 
settings. Thanks to their GPO integration, 
security templates let administrators con¬ 
figure security-related settings on different 
computers in a single effort. 

Security templates can cover the fol¬ 
lowing security-related settings: account 
policies, audit policies, user rights, security 
settings, event log settings, restricted 
groups, system services, registry permis¬ 
sions, and file and folder permissions. 
Security templates can also be applied to 
individual local machines (one machine 
at a time) by using the Security Con¬ 
figuration and Analysis (SCA) tool or its 
command-line equivalent, secedit.exe. 
However, SCA and secedit require the 
creation of a special security database 
on each machine before you can actually 
use the tools to apply security template 
settings. 


SCW was Microsoft's first security man¬ 
agement tool based on machine roles and 
a security configuration database. It was 
introduced in Windows Server 2003 SP1. 
Microsoft designed SCW to cover Windows 
firewall rules, network and authentication 
protocol, and audit security configuration 
settings on Windows servers. 

SCW policies can be applied only to 
Windows servers, not Windows desktops. 
Also, although the tool is wizard-driven, 
it isn't a straightforward process to cre¬ 
ate security policies with SCW and then 
deliver these policies to servers by using 
GPOs. SCW baseline policies can be 
imported into a GPO by using the scwcmd 
.exe command-line tool. 

SCM should become every security 
administrator's preferred security manage¬ 
ment tool for Windows clients and servers. 
Compared to these earlier tools, SCM 
is definitely Microsoft's most complete 
security management tool ever. The SCM 
security baselining capabilities can sup¬ 
port different Windows machine roles and 
types. They also support a wide range of 
Microsoft OS versions and cover key appli¬ 
cations such as Internet Explorer (IE) and 
Microsoft Office. SCM has an easy-to-use 
interface, is customizable, and integrates 
with other important Windows manage¬ 
ment tools such as GPOs and System 
Center Configuration Manager. 

—Jan De Clercq 

InstantDoc ID 141390 

Q: What System Center 2012 beta 
or Release Candidate products are 
compatible with the System Center 
Service Manager 2012 beta? 

A: With the new System Center 2012 
wave approaching, and all of the products 
available in beta versions or as release 
candidates (RCs), it's critical to know which 
ones work with the System Center Service 
Manager (SCSM) 2012 beta, as this beta 
sits at the center of the entire System 
Center 2012 wave. Microsoft has a blog 
post "SCSM 2012 Public Beta Released!" 
(blogs.technet.com/b/servicemanager/ 

archive/2011/10/30/scsm-2012-public- 

beta-released.aspx) that details the full 
compatibility matrix in a table. 

—John Savill 

InstantDoc ID 103193 
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Q: When deploying System Center 
Configuration Manager 2012 and 
connecting it to my System Center 
Configuration Manager 2007 
installation, should I use the same 
site code? 

Al You shouldn't use the same site code 
for separate System Center Configuration 
Manager (SCCM) 2007 and SCCM 2012 
installations, and you can't migrate from 
SCCM 2007 to SCCM 2012 if you have 
used the same site code. Always use a 
different site code for side-by-side SCCM 
installations. 

—John Savill 

InstantDoc ID 141603 

Q: What Windows Firewall ports 
does Citrix Xen Desktop use to 
communicate with its VMs? 

Al If you enable Windows Firewall on vir- 
tual machines (VMs) inside your LAN, you'll 
need to ensure that ports and features are 
enabled to support Citrix XenDesktop's 
services. They are as follows: 

• For core functionality, enable ports 
for ICA, Workstation Agent, and CGP 
services: TCP ports 1494,80, and 2598. 

• For user-to-user desktop shadowing, 
enable ports for Remote Assistance: TCP 
port 3389. 

• For real-time monitoring, enable the 
Remote Management feature. 

• For HDX RealTime for Audio, open UDP 
ports 16500 through 16509. 

—Greg Shields 

InstantDoc ID 141521 

Q: Can Microsoft RemoteFX be 
used with Citrix XenDesktop? 

At When Citrix XenDesktop virtual 
machines (VMs) are run atop the Hyper-V 
hypervisor, those VMs can take advantage 
of the user experience benefits Microsoft 
RemoteFX provides. A few other require¬ 
ments are necessary on each Hyper-V host: 

• The CPUs must support Second 
Level Address Translation (SLAT). 

This technology is referred to as EPT 
(Extended Page Table) on Intel CPUs. 

• The graphics processing units (GPUs) 
must be identical and must fully support 
DirectX 9.0c and DirectX 10.0. 


• The GPUs need plenty of RAM, and 
they must comfortably contain both 
the Hyper-V machine's console and the 
consoles of all running sessions. 

• SP1 for Windows Server 2008 R2 must 
be installed. 

System Center Virtual Machine Manager 
2008 SP1 is also required to support 
Machine Creation Services, and user 
devices must be running Windows 7 SP1 
with the Citrix Receiver for Windows 3.0 
client software. More information about 
these requirements can be found in the 
Citrix website Knowledge Center article 
"How to Use RemoteFX with XenDesktop 5.5" 
(support.citrix.com/article/ctx129509). 

—Greg Shields 
InstantDoc ID 141513 

Q: How can I apply VM 
optimization best practices to a 
Citrix XenDesktop VM? 

A: Citrix XenDesktop includes a TargetOS 
Optimizer tool that can be used during 
installation of the Virtual Desktop Agent 
to implement a series of performance 
optimizations on a master virtual machine 
(VM).This tool can also be run manually. 

A list of the specific optimizations this tool 
performs is found in the Citrix website 
Knowledge Center article "How to Optimize 
XenDesktop Machines" (support.citrix.com/ 
article/ctxl 25874) . 

—Greg Shields 

InstantDoc ID 141518 

Q: What is Citrix multi-stream 
ICA, and how does it improve 
performance? 

At Citrix XenDesktop 5.5 adds the option 
to deliver ICA traffic over multiple streams, 
four of which are TCP streams with a fifth 
UDP stream used for audio.The separation 
of ICA traffic into multiple streams lets 
administrators apply Quality of Service 
(QoS) prioritizations to individual compo¬ 
nents of an ICA session. Administrators can 
apply priorities to session features based 
on business needs, such as ensuring that 
audio quality remains high in VoIP applica¬ 
tions even during network congestion. 

With multi-stream ICA, each ICA 
virtual channel is associated with a class 


of service in delivering a user session. The 
four classes of service, each of which maps 
to a TCP stream, are as follows: 

• Very High Priority: used for real-time 
channels such as audio 

• High Priority: used for interactive channels 
such as graphics, keyboard, and mouse 

• Medium Priority: used for bulk virtual 
channels such as drive mapping, 
scanners (TWAIN), and more 

• Low Priority: used for background virtual 
channels such as printing 

—Greg Shields 

InstantDoc ID 141517 

Q: Where can I see a report of 
security vulnerabilities for 
Microsoft technologies? 

At Microsoft produces a report that 
provides detailed findings on the state 
of Microsoft security initiatives and 
exploits in the previous six months. As 
of publication time for this FAQ, the 
most recent report can be found at 
"Microsoft Security Intelligence Report 
volume 11" (download.microsoft.com/ 
download/0/3/3/0331766E-3FC4-44E5- 

B1CA-2BDEB58211 B8/Microsoft_Security_ 
lntelligence_Report_volume_11_English 
.pdf). The main site can be found at 
Microsoft Security (www.microsoft.com/ 
securitv/sir/default.aspx) , which has links 
to all the previous reports. 

—John Savill 

InstantDoc ID 141654 

Q: How can I run two commands 
on one command line in cmd.exe? 

At It's actually very easy to run multiple 
commands on a single line by using cmd 
.exe: Just add the "&"character between 
the commands, like this: 

cd data & notepad file.txt 

This command changes the folder to data, 
then opens the file named file.txt. You can 
use more advanced combinations that 
run the second command only if the first 
was successful; to do so, use && instead of 
just a single &. You can also run only the 
second command if the first command has 
an error; to do this, use ||. Following is an 
example of using && and ||: 
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<first command> && <second command 
runs if first is successful 
<first command> || <second command 
runs if first has an error> 

—John Savill 
InstantDoc ID 141655 

Q: How can I apply a security 
baseline that I defined through 
Microsoft Security Compliance 
Manager to a non-domain-joined 
Windows machine? 

A! When you install Security Compliance 
Manager 2 (SCM 2), it automatically installs 
the installation program of a tool called 
LocaIGPO.This tool lets you apply an SCM 
security baseline to a non-domain-joined 
computer—that is, a computer where 
you can't leverage Active Directory (AD) 
Group Policy Objects (GPOs) to apply SCM 
security baselines. 

To use LocaIGPO on a non-domain- 
joined computer, you must either install a 
local copy of the tool or use the GPOPack 
option. GPOPack bundles LocaIGPO and 
the GPO settings inside a self-extracting 
file that you can then automatically install 
on your clients. 

You can find more information in the 
SCM 2 Help files, in the section titled "Cre¬ 
ate a GPOPack to apply the same settings 
to a computer without installing LocaI¬ 
GPO." GPOPack is the simplest option. 

For the other option, to install a local 
copy of LocaIGPO, you must follow these 
steps. You can find LocaIGPO.msi in the 
\%Systemdrive%\Program Files\Microsoft 
Security Compliance ManagerXLGPO file 
system folder of a computer where you 
successfully installed SCM 2. 

1. Copy the installation file to the non¬ 
domain-joined computer and run it. 

2. To verify that LocaIGPO installed 
successfully, click Start, All Programs, and 
check that the LocaIGPO folder shows up 
in the program list. 

Then you can use the SCM tool to generate 
the GPO backup of the desired baseline. To 
do so, navigate to the baseline in the SCM 
interface and select the GPO Backup (folder) 
option under Export in the Action pane on 
the right, as Figure 2 shows. 

Finally, you must copy the GPO 
backup from the SCM machine to the 
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Figure 2: SCM interface, showing the GPO Backup (folder) option in the Action pane on the right 


non-domain-joined computer.Then you'll 
need to run LocaIGPO to effectively apply 
the settings in the GPO backup to the 
local policy of the non-domain-joined 
computer. 

To do so, right-click the LocaIGPO 
command line in the Start menu and 
select Run as administrator. Then, type 
the following at the command prompt 
to apply the GPO security baseline to the 
non-domain-joined computer: 

LocalGPO.wsf /path:"<file system path 
to GPO backup>" 

For example: 

LocalGPO.wsf /path:"C:\Users\Jan\ 
Desktop\GP0 Backup{e08fb722-7c4f- 
43ae-bc82-da717a5fe815}" 

—Jan De Clercq 

InstantDoc ID 141391 

Q: What is the difference between 
Operating System Images and 
Operating System Installers in 
System Center Configuration 
Manager 2012? 

A: Operating System Installers are the 
complete OS installation media imported 
into the configuration manager server. 
Operating System Installers are used to 
create custom images through the System 
Center Configuration Manager (SCCM) 

2012 Build and Capture task sequences. 


Operation System Images are the 
actual Windows Imaging Format (WIM) 
files that contain OS images. These WIM 
files might come directly from the Win¬ 
dows installation media, from a custom 
process and captured using ImageX, or 
created through the SCCM 2012 Build 
and Capture process as I discussed in the 
previous paragraph.Typically, you'd use 
Operating System Images when deploying 
OSs via task sequences. 

—John Savill 

InstantDoc ID 141648 

Q: Where isTrace32.exe in 
System Center Configuration 
Manager 2012? 

At In System Center Configuration 
Manager (SCCM) 2007 and earlier, a tool 
called Trace32.exe was available as part 
of the SCCM support tools, which made 
viewing the SCCM log files easier. The 
bad news is you won't find Trace32.exe in 
SCCM 2012. 

The good news is that's because it's 
been renamed CMTrace.exe. It's now part of 
the SCCM 2012 installation, installed in the 
C:\Program FilesWlicrosoft Configuration 
Manager\tools folder by default. 

A version of CMTrace is also available 
during OS deployments with SCCM 2012, 
to aid troubleshooting. It can be found in 
the x:\sms\bin\<architecture> folder. ^ 

—John Savill 
InstantDoc ID 141648 
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M icrosoft released the initial version of Windows Intune, its cloud-based PC-man- 
agement service, in March 2011, providing basic Microsoft System Center-like 
capabilities to a wider audience. As I explained in “Windows Intune Brings PC 
Management Into the Cloud" (May 2011, InstantDoc ID 129945), the initial release 
covered the basics (minus one glaring functional hole) and saw adoptions across 
a range of customer segments. Because Intune is a cloud-based service, Microsoft 
isn't beholden to the slow, monolithic upgrade strategy that comes with traditional, on-premises 
servers. So a scant seven months later, in October 2011, the company provided a significant update to 
Intune. Already, this update, which I call Intune 2, fills that functional hole and significantly increases 
the value of this service. 

As a refresher, Intune is essentially a standalone service that exists outside of whichever internal 
infrastructure you might have in your environment. For small businesses—even very small businesses, 
such as startups—this independence from a formal infrastructure is a huge benefit. Intune can easily 
manage disparate, physically isolated PCs as long as they're connected to the Internet. 

For larger businesses with an Active Directory (AD) infrastructure, Intune provides basic AD 
acknowledgement—it respects and gives precedent to any Group Policies that you've established, for 
example—but no true integration. This approach isn't necessarily a negative, however. According to 
Microsoft, some interesting scenarios have unfolded in these businesses: Machines that are rarely or 
never connected directly to the local network, such as laptops of frequent travelers or even executives' 
home machines, can be managed more easily using Intune than using AD. In these situations, treating 
isolated machines differently often makes sense. 

Intune provides a core set of functionality. You can manage individual computers or groups of 
computers to 

• process security fixes and other updates 

• ensure that each machine is up-to-date with security software, such as the Microsoft Forefront 
Endpoint Protection client, which resembles Microsoft Security Essentials and is provided with 
Intune 

• receive alerts when things go awry 
• view per-PC software inventories 

• oversee (though not enforce) software licensing to ensure that you're in compliance 
• create flat policies that are simpler than, but do not fully integrate with, AD Group Policies 
• create and view reports 
• accomplish other administrative duties 


Microsoft 
updates this 
handy, back- 
to-basics PC- 
management 
service 

by Paul Thurrott 
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■ WINDOWS INTUNE 2 


Unlike with System Center, you manage 
Intune remotely, through a simple web- 
based interface. Clients are monitored and 
updated remotely, over the Internet. Intune 
is provided as a subscription service, so 
you pay a per-PC monthly fee. (More about 
licensing costs later.) Note that there are 
some additional benefits to doing this price 
scheme, including Windows 7 Enterprise 
upgrade rights for each managed PC. And 
for an additional $1 per PC per month, you 
also gain access to the excellent capabili¬ 
ties in the Microsoft Desktop Optimization 
Pack (MDOP). 

On the flipside, Intune is not as full-fea¬ 
tured as System Center, though Microsoft 
has been vocal about quickly achieving 
partial parity—where doing so makes 
sense—through a series of updates to the 
service. Intune 2 is the first major step in 
that direction. 

What's New in Intune 2: Software 
Distribution 

When I examined the initial Intune service 
in early 2011,1 was pretty impressed over¬ 
all. (You can see my reaction in “Windows 
Intune Brings PC Management Into the 
Cloud.") That said, I noted one major miss¬ 
ing feature, and I had some concerns about 
the pricing model. I felt, and still feel, that 
very small businesses are unlike to pony 
up the required per-PC monthly fee, no 
matter how rich the experience. Microsoft 
has yet to address my pricing concerns— 
more on that in a bit—but did add in that 
missing feature. And it's a big one: software 
distribution. 

Thanks to Intune 2's new software-dis¬ 
tribution functionality, you can now arbi¬ 
trarily deploy software applications and 
updates to client PCs that are managed by 
the service. Think about that for a second. 
The only client-side requirement is that 
these PCs be connected to the Internet and 
have the Intune client agent installed on 
them. The administrator, from the simple 
web-based interface, can manage which 
applications are deployed to which PCs. 
And then that happens, automatically, over 
the Internet. 

Now, depending on the complexity of 
the application that you want to deploy, 
this process might require some work. If 
you've spent any time deploying software 
in a managed, AD-based environment, the 
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methodology here is second nature, and 
the application packages that you create 
are identical to those that you'd deploy 
through AD or System Center. But because 
Intune targets a more diverse customer 
base, many of whom have never performed 
that type of deployment, things can get a 
bit tricky. 

Again, it depends on the software. 
Consider a simple application, such as 
Adobe Reader. To deploy that type of appli¬ 
cation, you first log on to the Windows 
Intune management console at manage 
.microsoft.com. You then go to the revamped 
Software interface, which includes areas for 
Detected Software—essentially an inven¬ 
tory of the software applications across 
your managed PCs—and the new Managed 
Software area, from which you deploy and 
manage applications. From the perspec¬ 
tive of the management console, there are 
two steps to deploying software. First, you 
must upload the software to Intune, and 
second, you determine to which clients to 
deploy it. 

For the first activity, Intune provides a 
handy wizard that steps you through the 


Figure 1: Uploading software to Windows Intune 


process. You specify the file or files that 
constitute the application package; pro¬ 
vide descriptive information; specify the 
processor architecture, if required (32-bit, 
64-bit, or any); specify which Windows ver¬ 
sions are supported (Windows 7, Windows 
Vista, Windows XP, or any); and then 
navigate a series of increasingly complex 
options. Intune supports detection rules, 
which help you to fine-tune whether to 
install the software to particular PCs, which 
command-line arguments to use, and even 
how to interpret return codes. That last 
option can help you to troubleshoot failed 
deployments but is likely be over the heads 
of inexperienced users. 

At this point, the software is uploaded 
to Intune, as Figure 1 shows. Each Intune 
account is provided with 2GB of storage on 
Windows Azure, so each application that 
you upload (and doing so is a requirement 
for deployment) eats into this allotment. 
Each application that you upload appears 
in the Managed Software area. 

Managed Software displays a list of 
each application that you've uploaded, 
as Figure 2 shows, as well as a list of 
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all the uploaded software that you've 
deployed. For an application that you've 
just uploaded, you can perform several dif¬ 
ferent actions. You can edit the package, by 
using what is essentially a modified version 
of the upload wizard that works against the 
uploaded version of the software. Or you 
can choose to deploy the package. 

To deploy the software, simply select 
the computer group or groups on which 
you want to install the software. Optionally, 
you can select a deadline, such as "as soon 
as possible," "one week," and so on. (See 
"Windows Intune Brings PC Management 
Into the Cloud" for details about the pur¬ 
pose and creation of computer groups in 
Intune.) You can also view various attribu¬ 
tions of your managed software, such as 
on which computers an application has or 
hasn't been deployed. 

Of course, things can get complicated 
pretty quickly. All but the simplest of appli¬ 
cations need to be packaged into more 
easily deployable Windows Installer pack¬ 
ages. And you'll need to set the appropri¬ 
ate command-line switches so that these 
packages can be installed correctly in quiet 
or silent modes that don't require user 
interaction. (To be fair, that last step isn't 
required, and less-sophisticated environ¬ 
ments might require users to go through 
setup routines, if needed.) Microsoft Office 
is a typical and obvious example of such an 
application, and one that many environ¬ 
ments will want to deploy. And again, for 
larger environments that have performed 
such customizations in the past, such pack¬ 
aging will be straightforward and familiar. 
Smaller, newer businesses will need some 
help to achieve this level of sophistication. 

On the client, deployed applications are 
installed automatically. First, the download 
occurs in the background, using com¬ 
pression to minimize traffic, encryption 
for security, and automatic resume in 
case of a connection interruption. After a 
package is successfully downloaded, it is 
decompressed, unencrypted, and installed 
according to the schedule that you speci¬ 
fied in the Intune management console. 
This process does not require the user to be 
logged on interactively, though of course 
the PC must be up and running. If the setup 
routine requires user interaction, it will wait 
for 16 hours before timing out and sending 
an error code to the console. Otherwise, 


the routine will simply install silently in the 
background and be available the next time 
the user logs on or uses the PC. 

Other New Features in Intune 2 

Software distribution isn't the only new 
feature in Intune 2. Microsoft has added 
several other useful features and changes 
to this release. 

Remote tasks. From the management 
console, admins can now fire off remote 
scans of managed PCs. This feature is espe¬ 
cially useful for malware scans, but you can 
also remotely trigger a malware scanner 
update and a PC restart. 

Read-only admin access. In a move 
toward a more delegated administrative 
future, Intune 2 now supports a read-only 
view of the web-based management con¬ 
sole so that certain employees can simply 
view information, such as software inven¬ 
tories. This capability stops short of true 
delegation, and hopefully a future version 
of Intune will provide actionable access 
to only certain parts of the management 
experience. But it's a good first step, and 
Microsoft tells me that specific scenarios 
around delegation are being considered 
for later improvements. Which form those 
scenarios take is currently uncertain. 

Improved reporting. Intune 2 now 
provides hardware-inventory reporting in 
addition to the software and licensing 
reporting in the first version. As you might 
expect, these reports are highly customiz¬ 
able but can contain machine name; chas¬ 
sis type (laptop or desktop); manufacturer; 
model; operating system; total, used, and 
free disk space; physical memory; CPU 
speed; serial number; user; and the date of 
the most recent hardware status. 

License-management improvements. 
In the initial version of the Intune ser¬ 
vice, you could manage Microsoft volume 
licenses only. Now, you can also manage 
Microsoft OEM and retail licenses, and 
third-party licenses. As before, there's no 
enforcement capability, so this is purely 
a way to examine your licensing status 
and manually ensure that you're legally 
licensed. 

Offline PC agent installation. The 
agent that's deployed to PC clients can 
now be installed while the PC is offline, 
though of course you'll need an Internet 
connection to receive the software initially. 


Previously, the PC needed to be online dur¬ 
ing the entire agent-installation process. 

There are a few other changes, including 
some fit and finish improvements for the 
management console and interface changes 
that relate to the new features. Intune is 
also now available in more languages and 
regions. The important bit to understand is 
that Intune 2 is a full superset of the initial 
service, so there's no loss in functionality or 
major changes to existing features. Instead, 
you just get more by upgrading the service. 
This is one of the big benefits of subscrib¬ 
ing to a cloud service: Not only do you not 
need to perform an upgrade or migration 
on servers and PC clients, but features are 
simply added over time. 

Upgrading to Intune 2 

Speaking of which, the upgrade process is 
incredibly simple. On the cloud side, you 
are upgraded automatically; most existing 
customers will have received the upgrade 
by now. (Two weeks before the upgrade, 
you'll be prompted as to the exact upgrade 
date.) On the client, the process is even sim¬ 
pler. Although a tiny update to the agent is 
required, it happens silently, automatically, 
and without any user interaction. 

New users that sign up for the Intune 
service after October 2011 will automati¬ 
cally receive the new features and function¬ 
ality. It's that simple. 

Recommendations 

Windows Intune is a tremendously useful 
service that has gotten even better in its 
second incarnation, thanks in large part 
to the addition of software-distribution 
capabilities. Intune provides a look at the 
future of Microsoft, in which the software 
giant moves beyond its traditional offerings 
to a more complete lineup that includes 
pervasive cloud services. That said, Intune 
is simply too expensive for very small 
businesses, and this barrier to entry might 
ultimately prove to be the service's Achilles 
Heel in that market. ^ 
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N ew in Windows 7, HomeGroup makes it easy for novices and systems administrators 
to network Windows 7 PCs on a LAN without a domain controller (DC) and to share 
resources such as printers and files. Although intended primarily for consumers, Home- 
Group is also useful in small-business situations, in which there might not be ready access 
to IT support. 

HomeGroup Protocol 

The Microsoft HomeGroup protocol is an open standard that relies on peer-to-peer (P2P) networking 
and the Web Services on Devices (WSD) protocol to publish and discover resources on a local subnet, 
without a client/server infrastructure. IPv6 P2P graphing, facilitated by the Peer Name Resolution 
Protocol (PNRP), allows computers to locate one another without a DHCP version 6 (DHCPv6) server. 
PNRP also replaces the NetBIOS names and master browser that were the mainstays of Windows for 
Workgroups (WFW) networking for years. 

When Windows 7 creates a HomeGroup, it establishes a secure PeerGroup so that Windows 7 
nodes on the local subnet can find and communicate securely with one another. XML WSD messages 
of different types advertise the existence of the HomeGroup and other information, such as the peer 
IDs that uniquely identify each computer in the PeerGroup, the credentials for the HomeGroupUser$ 
account, shared printers, and the MAC addresses that are registered for a device. Messages are signed 
and information encrypted as required to help protect against rogue computers that might advertise 
services on the local subnet. A 256-bit Advanced Encryption Standard (AES) key is created by using 
a Secure Hash Algorithm (SHA)-256 hash of the PeerGroup name; this AES key is randomized (i.e., 
salted) by the HomeGroup password to make sure that the generated hash is unique. The AES key is 
used to encrypt HomeGroup credentials messages and a 2048-bit RSA private/public key pair, which 
the initiator of the HomeGroup creates and uses to sign WSD messages, ensuring their integrity. When 
a computer receives a HomeGroup WSD message, that message is kept so that the information doesn't 
need to be rediscovered unless a change is advertised. 

Server Message Block (SMB) 2.1, the standard protocol for Windows file servers, is used to transfer 
files between computers. Users don't need to enter credentials when accessing resources on other 
computers in a HomeGroup, because the HomeGroupUser$ account and a group called HomeUsers 
simplify access to shared resources on behalf of the logged-on user. 


Essential tips 
and techniques 
for small 
businesses 

by Russell Smith 


Setting Up or Joining a HomeGroup 

All editions of Windows 7 can join a HomeGroup, but only Windows 7 Home Premium, Professional, 
Enterprise, and Ultimate SKUs can create one. A simple wizard is activated when a user connects 
to a new home network; if an existing HomeGroup is not detected, the user is prompted to set 
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Figure 1: Joining a HomeGroup 


up a new HomeGroup and share default 
libraries such as Documents and Videos. 
If the computer is joined to a domain, the 
user can opt to participate in an existing 
HomeGroup, if one is detected on the local 
network. 

HomeGroup is not available when 
Windows Firewall is set to Public, so the 
feature is no good for those who want to 
share files ad-hoc with users on a public 
WiFi hotspot. (Apple's AirDrop feature 
has one up on Windows for the time 
being, providing an easy way to share 
files with unknown devices over public 
networks, similar to Bluetooth file shar¬ 
ing.) When setting the Windows Firewall 
profile to Home, you can skip joining a 
HomeGroup by clicking Cancel on the 
Join a Homegroup screen, which Figure 1 
shows, and the firewall profile will be set 
accordingly. 

HomeGroup and ACLs 

When a user shares a library, Windows 
modifies the ACLs on the folders that are 
part of that library. Figure 2 shows that 
the user (user) who joins a HomeGroup 
has a new ACL for the HomeUsers group 
on his or her user folder. This ACL grants 
traverse permission to only the first level 
of the folder. 

If you look at this user's Documents 
folder, you will see that the HomeUsers 
group has been given Read access. When 
a HomeGroup is created, all local user 
accounts are added to the HomeUsers 
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group. When a new local user account is 
created, it's automatically added to the 
HomeUsers group. Unless the default con¬ 
figuration is changed, all local users can 
access the folders of any other local users 
that have shared folders in a HomeGroup. 

The HomeGroup setup wizard allows 
users to share their default libraries, but more 
granular configuration can be achieved by 
using Windows Explorer's Share with menu. 
You can select single or multiple folders and 
then disable sharing (by selecting Nobody 
from the Share with menu) or enable Read 
or Read/Write access. Read access is the 
default permission given to libraries that 
are shared in a HomeGroup. If you choose 
to use the Share with menu to grant Read/ 
Write access, be aware that HomeGroup 


users will actually get Full Control (i.e., they 
can also delete files). 

When you create or join a HomeGroup, 
you should use Windows Explorer—not the 
Security tab on a file's or folder's Properties 
dialog box—to manage ACLs. The Share 
with menu also has an option to share with 
Specific people. Under the default Windows 
configuration, only local user accounts and 
groups can be selected. If you want to share 
with a specific remote user, then that user 
must have an account that is on the local 
computer and that mirrors the username 
and password that is set on the remote 
computer. As Figure 3 shows, the Advanced 
sharing settings screen in the Network and 
Sharing Center allows you to configure a 
HomeGroup to use a local user account 
instead of HomeGroupUser$. 

The HomeGroup system service is 
responsible for maintaining HomeGroup 
configuration, including ACLs on shared 
folders. When you remove a computer from 
a HomeGroup, all previously added ACLs 
are removed. 

Domains and HomeGroup 

Domain-joined computers cannot cre¬ 
ate HomeGroups, but can participate in 
a HomeGroup that is set up on another 
Windows 7 computer. To join an existing 
HomeGroup, the user must first ensure 
that the Windows Firewall network profile 
is set to Home. In Windows 7, domain users 
don't need to elevate privileges to change 
the network location. (You can alter this 
behavior by enabling the Require domain 
users to elevate when setting a network's 



Figure 2: HomeUsers ACL 
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C:\>netsh p2p pnrp cloud show names 
Scope Id Addr State Name 


101 Uirtual Global. 

Synchronise server: pnrpv2.ipv6.microsoft.com;pnrpv21.ipv6.microsoft.com 

Use Server: Not used 

Use SSDP: Not used 

Use Persisted cache: Not used 

Cloud Configured Mode: Auto 

Cloud Operational Mode: Not started 


IScope Id Addr State Name 


3 10 1 Active LinkLocal_ff00: :xl0/8 

Synchronize server: 

Use Server: Disabled 

Use SSDP: No addresses 

Use Persisted cache: No addresses 

Cloud Configured Mode: Auto 

Cloud Operational Mode: Full Participant 

IP Addresses: [fe80::alfe:922e:fc39:f13dxl0]:3540 

Number of cache entries: 1 

Estimated cloud size: 0 

Number of registered names: 1 

Throttled resolves: 0 

Throttled solicits: 0 

Throttled floods: 0 

Throttled repairs: 0 

P2P Name: 4f682bef178fcbbfc85b88971f2cb7b631817be3.participant 

Identity: 493a90e520abba00031d4af3097fec6e26e3932c.HomeGroupClassifier 

Comment: HomeGroupPeerGroupClassifier 

PNRP ID: d?df3c49e5a5a8fdfbe4bbcb78af9cc2.fe80000000000000088d4eaf753b8ad 

9 

State: OK 

IP Addresses: [fe80::alfe:922e:fc39:f13d]:3587 tcp 


C:\>_ 


Figure 4: Troubleshooting with Netsh 


Figure 3: Advanced sharing settings 


location Group Policy setting under 
Computer Configuration, Administrative 
Templates, Network, Network Connections 
in Group Policy Editor.) 

For security reasons, domain users and 
local users of domain-joined computers 
cannot share resources. If a non-domain 
computer creates or participates in a 
HomeGroup, any shared resources on that 
computer will be disabled if the computer 
later joins to a domain. 

HomeGroup Troubleshooting 
Checklist 

Only one HomeGroup can be present on 
a subnet, and a Windows 7 computer can 
be a member of only one HomeGroup. If 
you want to join a HomeGroup on a dif¬ 
ferent LAN, you first need to remove the 
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device from its existing HomeGroup. Only 
disks that are formatted with NTFS can be 
shared in a HomeGroup, so that excludes 
CD-ROMs or DVD-ROMs and FAT-based 
file systems. If you have trouble establish¬ 
ing a HomeGroup, take these steps: 

• Ensure that Windows Firewall is 
correctly configured. Setting the firewall 
profile to Home should be enough 

for automatic configuration. (You 
can find full details of HomeGroup 
firewall requirements in the Microsoft 
document “HomeGroup and Firewall 
Interaction" at www.microsoft.com/ 
download/en/details.aspx?id=10561.) 

• Check the local NIC settings to make 
sure that IPv6 is enabled. 

• Verify that multicast traffic is allowed 
on the local subnet and is supported by 

We're in IT with You 


network adapters and other networking 
equipment, such as routers and switches. 
• Determine whether third-party security 
software is blocking HomeGroup 
communications. 

The output in Figure 4 shows two 
PeerGroups. The Global_ cloud group is 
of no interest; only LocalLink information 
is relevant to the HomeGroup. This output 
shows IPv6 addresses and P2P data for the 
local network adapter, and you can see 
that the PeerGroup is up and running. 

The context netsh p2p pnrp diag also 
contains useful ping and traceroute 
troubleshooting commands. But as long 
as your local network meets the basic 
requirements for Windows HomeGroup, 
youll seldom need to use the advanced 
troubleshooting commands that Netsh 
provides. 

Proceed with Caution 

Anyone who has ever dealt with NetBIOS or 
WINS knows how frustrating even the sim¬ 
plest of networking jobs can be in a WFW 
scenario and how troubleshooting such 
scenarios requires a fair amount of back¬ 
ground technical know-how. Windows 7 
HomeGroup is a welcome addition to the 
OS and should make simple P2P network¬ 
ing an easy task for both administrators 
and non-technical users. 

The implementation of HomeGroup 
using IPv6, WSD, and SMB is fundamentally 
secure. So long as your wireless router is set 
up to provide adequate security, you can run 
a HomeGroup over a wireless network with 
confidence that you aren't increasing the 
risk of data being sniffed over the airwaves. 

However, you need to watch out for 
local ACL issues, in which local computer 
users might gain access to other local users' 
files. HomeGroup isn't intended to be a 
business-grade solution, so be sure that 
you fully understand the potential security 
implications in a scenario where local user 
accounts are in use. ^ 
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Say goodbye 
and good 
riddance to the 
single-server 
admin model 

by Paul Thurrott 


I n Windows Server 2008, Microsoft added the Server Manager interface, and it was good. Server 
Manager provides a central location for managing a server's roles and features, and although 
there’s occasionally a need to use other tools, many admins can live in this interface all day 
long. But Server Manager has a fatal flaw that's obvious with the passage of time: It works 
against only one server at a time. If you need to manage multiple servers, as many admins 
do in this new world of distributed computing services and virtualized environments, Server 
Manager becomes more of a hindrance than a benefit. 

And that's where the next version of Windows Server, code-named Windows Server 8, comes 
in. Among the many benefits and new features in the upcoming Windows Server OS revision is a 
completely new version of Server Manager, written from the ground up to accommodate today's 
multiserver management style. And the new Server Manager is indeed brand new: It doesn't look or 
behave like any administrative console you've ever used. 

The difference isn't just in the look and feel. Server Manager 8 (as I call it) is different from previous 
versions because Microsoft expects most admins to access it on their desktop PCs, remotely connect¬ 
ing to the servers that they manage from a single interface. This approach stands in sharp contrast to 
the more typical administrative model, in which you use Remote Desktop Connection to interactively 
access each server's desktop—or worse yet, physically sit down in front of each server. 


A Server Manager for the 21st Century 

When you run Server Manager 8 for the first time, it's obvious that things have changed. Gone is the 
Microsoft Management Console (MMC)-based UI, with its old-school panels and panes and tree- 
based navigation of roles and features. Instead, Microsoft has wrought a new, flatter UI that seems 
to incorporate some Metro-style user experiences from Windows 8 or Windows Phone, as Figure 1 
shows. 

If you're familiar with the process of configuring a new server that runs Server 2008, you'll also 
notice the absence of the Configure Your Server wizard on your first boot of Server 8.1 don't see a 
direct replacement for that wizard, at least not in the Server 8 developer preview, so you'll need to 
set up certain features manually before digging into Server Manager. A temporary Welcome to Server 
Manager pane in Server Manager provides a more obvious way to configure roles and features, add 
servers to manage, or create a server group, as Figure 2 shows. This pane can be handy until you know 
your way around. 

Dive into Server Manager, and you'll see that the dashboard UI is still segmented, with a navigation 
pane of sorts on the left. But you no longer expand nodes in a tree-like structure, as you do in Server 
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2008 Server Manager. Instead, selections 
simply replace the main view in the con¬ 
sole. For items that have subnodes, a new 
pane opens, as Figure 3 shows. If you're 
familiar with how the Windows Intune 
management console looks and works, 
this approach will feel somewhat similar. 
For most Windows admins, it will be a new 
way of doing things. 

From a usage perspective, Server 
Manager 8 provides a tiled dashboard as 
the default view. Each tile represents a 
role that's installed on one or more of the 
servers that you're managing. So you'll see 

This mile-high view 
of Server Manager 
provides just a peek 
at the capabilities of 
this exciting new Ul. 

individual tiles for such things as Active 
Directory Domain Services, DNS Server, 
File Services, and whichever other roles 
you've configured across your environ¬ 
ment. These roles also appear in the navi¬ 
gation pane, so they're always a click away, 
but the dashboard provides at-a-glance 
capabilities, including red highlighting of 
events, services, performance alerts, and 
other role-related items that need atten¬ 
tion. For example, one of my Server 8 vir¬ 
tual machines (VMs) is perpetually low on 
available RAM, so the performance alerts 
item is usually highlighted in red. 

These alerts aren't just for show: You 
can also act on them. To do so, click the 
item in question. A Detail View window 
appears and provides more information, 


as Figure 4 shows. What you can do from 
this window depends on the alert. In the 
case of my performance-alerts warning, I 
can see which machine is affected and the 
warning type, and then I can right-click that 
warning to get even more information in 
the Performance View window. Here, I can 
view individual alerts and see information 
about which processes are consuming so 
much RAM. In my case, simply providing 
the VM with more memory solved the 
problem. 

Multiple Servers, One Pane of Glass 

Of course, Server Manager 8 really shines 
when you use the interface to configure and 
manage multiple serv¬ 
ers. You add servers to 
Server Manager through 
the Manage menu in the 
top-right corner of the 
main console. Then, via 
the Add Servers option, 
you choose other 
machines in your envi¬ 
ronment and add them 
to the console. You can Figure 2: Adding roles or servers and creating groups 


add Server 8 machines, of course, but you 
can also add machines that run Windows 8, 
Server 2008 (or Windows Server 2008 R2), 
Windows Vista, Windows Server 2003, or 
Windows XP. (So far, I've tested this func¬ 
tion by adding Server 8 machines only.) 

After you've added two or more serv¬ 
ers, you see that each configured role tile 
in the Server Manager dashboard has a 
number next to the role name. This num¬ 
ber describes how many managed servers 
offer that role. In my test environment, I 
have two Active Directory (AD) domain 
controllers (DCs), but only one offers the 
File Services role and only one offers the 
DNS Server role. From the dashboard, 
you can view information about multiple 
servers, with a single click. Simply click the 
appropriate item—services under Active 
Directory Domain Services, for example— 
and the Detail View window appears, 
showing an aggregation of the running 
services on each machine. 

In this Detail View window, which 
Figure 5 shows, you can filter the view by 
using the Servers drop-down menu, which 
lets you choose which servers to include in 
the view. In the Services example, you can 
also filter by startup types, services, and 
service status; the choices vary according 
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Figure 4: Detail view for an alert 



Figure 5: Filtering in the Detail View window 



Figure 6: Acting directly on multiple servers 


to the type of item that you're viewing. The 
Performance Alerts Detail View offers filters 
for Resource type in addition to Servers. 

The Server Manager dashboard is good 
for viewing information and for acting 
on alerts. But when you need to actually 
configure roles and features, you need to 
dive into individual nodes in the navigation 
pane. For example, when you select the 
Active Directory Domain Services node, 
the Server Manager view changes to show 
the configuration options for that node. 

Common to most of these role views is a 
top pane, in which you can see each man¬ 
aged server that is configured with that par¬ 
ticular role in your environment. By default, 
all roles are selected, so in the tiles below 
the top pane—tiles for Events, Services, 
Best Practice Analyzer, Performance Alerts, 
and Features, in this example—the infor¬ 
mation that you see applies to all related 
servers. You can select one server, or you 
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can select multiple 
servers, much as you'd 
select multiple files in 
Windows Explorer, by 
pressing Ctrl and click¬ 
ing the items. 

Where things get a 
bit hairy in this UI is 
when you want to act 
on a particular server or 
group of servers. Each 
tile below the main 
server list has a hidden 
Tasks drop-down menu 
that appears when you 
hover over the area 
above the top right of 
the tile. What you see in 
that drop-down menu 
varies depending on the 
tile and, in some cases, 
the servers that you've 
selected. The really odd 
bit, however, is this: You 
need to select servers in 
the top pane and then 
select the actions to use 
on those servers in these 
hidden Tasks lists. 

Confused? Think of 
it this way. In the file 
system, when you select 
a group of files, you can 
right-click that group 
and then select from a list of actions that 
appears in the context menu. This approach 
makes sense because you are typically per¬ 
forming an action "on" the group (or item) 
that you've selected. In Server Manager, 
the selection and action occur separately, 
in different parts of the UI. 

Here's an example: In the Events tile 
in the Active Directory Domain Services 
node, one of the actions that you can take 
via the Tasks menu is Configure Event Data. 
You can take this action for a single server 
or for any number of selected servers. First, 
you must select one or more servers in the 
pane that lists all the managed servers in 
your environment. Then, you must hover 
over the area above the Events tile, which 
contains the hidden Tasks menu. This 
menu appears as your mouse moves over 
it; click the menu when it appears and then 
click Configure Event Data. The Configure 
Event Data window appears, and you can 


make whatever configuration changes you 
like. These configuration changes get inter¬ 
esting when you select two or more servers, 
of course. 

Aside from the disconnected nature 
of the tiles and their associated actions, 
Server Manager does offer one way to 
select and then directly act on multiple 
servers, as Figure 6 shows. In any pane 
that lists servers, you can select multiple 
servers and then right-click. You'll see a 
context menu, similar to the one that's used 
in the file system, with common tasks such 
as Add Roles and Features, Restart Server, 
Computer Management, and so on. 

These capabilities become more pow¬ 
erful when you're managing many servers, 
as you can suddenly and simultaneously 
apply common configurations or fix com¬ 
mon problems across multiple machines. 

Looking Ahead 

This mile-high view of Server Manager in 
Server 8 provides just a peek at the capa¬ 
bilities of this exciting new UI. But that's by 
design. Like the OS on which it runs, Server 
Manager is a work in progress and will no 
doubt improve over time. I'm interested to 
see whether admins find the disconnected 
server/action model that I've described 
confusing enough that Microsoft makes 
a change; hiding the Tasks list until you 
mouse over it is hardly discoverable or 
optimal. But even in this rough state, Server 
Manager is proof that the single-server 
admin model of the past has run its course. 
Microsoft is onto something with Server 
Manager in Server 8, and I can't wait to see 
how it evolves. ^ 
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R unning programs on remote computers is a common administrative task, and there 
are a number of techniques available to accomplish it. (See the web sidebar '"Common 
Ways to Run Programs on Remote Computers, " www.windowsitpro.com, InstantDoc ID 
141558, for a list of some commonly used techniques and their advantages and disad¬ 
vantages.) I've come to rely on the Windows Task Scheduler service because it's a native 
part of Windows OSs and hence always available under normal circumstances. 

In 2005,1 wrote a VBScript script, JTRun.vbs, that used the Task Scheduler service to immediately 
run programs on Windows XP and Windows 2000 (Win2K) remote computers. As I described in 
the web-exclusive article “Command-Line Task Scheduler" (www.windowsitpro.com, InstantDoc 
ID 45148), I used the Microsoft utility ft.exe instead of the Schtasks command (which was intro¬ 
duced in XP) as the command-line interface for the Task Scheduler service for two reasons. First, 
ft.exe worked on both XP and Win2K, whereas Schtasks didn't exist on Win2K. Second, ft.exe had 
a “run now" feature that Schtasks lacked, (ft.exe lets you run programs “now," meaning in the next 
minute.) 

Now that I use Windows PowerShell as my primary command-line shell, I decided to replace 
ITRun.vbs with a PowerShell script for several reasons: 

• JTRun.vbs requires an administrative password in clear text on the script's command line. 

PowerShell can use PSCredential objects, which securely store passwords. 

• JTRun.vbs works with only one computer at a time. PowerShell pipelining makes working with 
multiple computers relatively easy. 

• JTRun.vbs produces output that isn't designed for parsing. In PowerShell, you can output custom 
objects with whatever properties are needed. 

• Jt.exe's “run now" feature can be problematic if the local and remote computers' times aren't in 
sync, or if the local and remote computers are in different time zones. 


PowerShell 
scripting does 
all the work for 
you 

by Bill Stewart 


After I decided to replace JTRun.vbs with a PowerShell script, my first thought was to use the 
TaskService scripting object (which was introduced in Windows Vista and Windows Server 2008) 
or the Schtasks command instead of Jt.exe. However, I was annoyed to discover that, at least from 
Windows 7, you can't connect to remote XP systems using either the TaskService or Schtasks 
method. As Figure 1 shows, both methods return an Access is denied error. (The PowerShell window 
in Figure 1 is running under the Administrator account on the local system, and the same domain 
account is a member of Administrators on the remote XP system as well.) However, I found that 
Jt.exe works just fine on Windows 7, so I decided to stick with it. 

Although the new PowerShell script, Start-Program.ps 1, still uses Jt.exe to create the scheduled 
task, it doesn't have the old VBScript script's other problems. Before I show you how to use the new 
PowerShell script, however, I need to describe the Jt.exe program and how Start-Program.psl uses it to 
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Figure 1: Errors encountered when trying to use the TaskService and Schtasks methods to 
connect to a remote XP system 


become a general-purpose "run a program 
on any computer" tool. 

Understanding Jt.exe 

As I mentioned previously, Jt.exe pro¬ 
vides a command-line interface to the 
Task Scheduler service. You can download 
this utility from ftp://ftp.microsoft.com/ 
ResKit/win2000/jt.zip. After you extract the 
Jt.exe file, you need to put it in a directory 
in your Path. You only need Jt.exe in the 
Path on the computer on which you run 
Start-Program.ps 1. 

Although the Jt.exe command is power¬ 
ful and flexible, its syntax is rather complex 
and not very user-friendly. For that reason, 
I designed Start-Program.ps 1 to create and 
run a Jt.exe command that contains the 
parameters shown in Table 1. 

Jt.exe generates output strings that 
are informative. For example, Figure 2 
shows some sample output strings, one of 
which contains an error message. However, 
the output strings make parsing difficult, 
especially if you need to execute a Jt.exe 
command for more than one computer. 
Start-Program.ps 1 parses the output strings 
and manages Jt.exe errors for you, report¬ 
ing errors when appropriate. 

Using Start-Program.psl to run Jt.exe 
offers other several advantages as well. 
First, you don't need to type passwords in 
clear text on the command line. Second, 
Start-Program.psl hides the complexities 
of the Jt.exe command-line parameters 
shown in Table 1. Third, Start-Program.psl 
can run a program on multiple comput¬ 
ers. Finally, it outputs objects that can be 
filtered, sorted, and so on. 

Using Start-Program.psl 

You can download Start-Program.psl by 
going to www.windowsitpro.com, entering 
141270 in the Search box, and clicking the 
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141270.zip hotlink. After you extract the 
script, you should put it in the same Path 
as Jt.exe. (Start-Program.psl and Jt.exe can 
be in the same or different directories in the 
Path.) The script's command-line syntax is 
as follows: 

Start-Program [-ComputerName] <String[]> 
-StartTime <DateTime> 

-Program <String> 

[-Parameters <String>] 

[-World ngDi rectory <String>] 
[-KeepTask] 

[-TaskCredential <PSCredential>] 
[-Verbose] 

The -ComputerName parameter speci¬ 
fies the computers on which to run the pro¬ 
gram. You can omit the -ComputerName 
parameter name if you put the computer 
names first on the command line. You can 
specify a period (.) or the string localhost 
to refer to the current computer. This 
parameter also supports pipeline input 
(i.e., if you pipe input to the script, the 
script assumes the piped input is a list of 
computer names). 

The -StartTime parameter is a 
DateTime object that specifies when the 


program should run. You can specify a 
date, a time, or both. If you specify only 
a date, the time will be midnight. If you 
specify only a time, the date will be the 
current day. Because the parameter is a 
DateTime object, you can specify the date 
and time in any valid format. Note that 
for remote computers, this parameter 
refers to the date and time on the remote 
computer, not the computer on which you 
run the script. 

You use the -Program parameter to 
specify the program you want to run. You 
can also specify a shell script (i.e., a .cmd 
or .bat file). This parameter can include 
a path to a network location if the cre¬ 
dentials you specify have the appropriate 
permissions. You shouldn't include the 
program's command-line arguments in the 
-Program parameter. If the program needs 
command-line arguments, you need to use 
the -Parameters parameter. 

The -Parameters parameter is a string 
that specifies the command-line arguments 
for the program. The parameter needs to 
be enclosed in double quotes (") when it 
contains embedded spaces. However, the 
string must not contain embedded double 
quotes due to a limitation in Jt.exe. (Jt.exe 
uses double quotes for strings and doesn't 
provide a means to embed double quotes 
inside a quoted string.) If you need to run 
a program that uses embedded double 
quotes in its command line, you need to 
put the command line in a shell script 
and use Start-Program.psl to run the shell 
script. 

If you want to make sure the program 
starts in a specific location, you must 
include the -WorlcingDirectory param¬ 
eter. Otherwise, the OS will decide the 


Table 1: Jt.exe Command-Line Parameters Used by Start-Program.psl 

Parameter 

Description 

/SM "\\computername" 

Connects to the Task Scheduler service on the specified 
computer. 

/SAJ "taskname" 

Specifies the name for the scheduled task. 
Start-Program.psl generates a task name based 
on the program name and the current date and time. 

/SC "domain\username" "password" 

Uses the specified credentials to run the scheduled task. 

/CTJ StartDate mm/dd/yyyy 
StartTime = hh:mm 

Type = ONCE 

Disabled = 0 

Runs the task once at the specified date and time. The 
task isn't disabled. 

/S 3 ApplicationName = "program" 
[Parameters = "parameters"] 
[WorkingDirectory = "path"] 

[DeleteWhenDone = 1] 

Specifies the program to run, its command-line param¬ 
eters (optional), a working directory (optional), and 
whether the Task Scheduler service should delete the 
task after it runs (optional). 
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Figure 2: Sample output strings from Jt.exe 


Table 2: Sample Commands to Run Start-Program.psl 

Command* 

Description 

Start-Program 
-StartTime 11:15 
-ComputerName local host,svrl 
-Program msiexec.exe 

-Paramete rs"/i \\APPl\MyApp\MyApp.msi/qn" 

Installs MyApp.msi on two computers.The 
task will start at 11:15 a.m. today. Start- 
Program.psl will prompt for the creden¬ 
tials to use to run the program. 

Start-Program 

-StartTime "11/30/2011 14:30" 

-ComputerName (Get-Content Computers.txt) 
-Program \\APPl\MyApp\Setup.cmd 

Runs VAPP1\MyApp\Setup.cmd on 
each of the computers listed in the file 
Computers.txt. The task will start at 

2:30 p.m. on 11/30/2011. 

Get-Content Computers.txt | Start-Program 
-StartTime "12/1/2011" 

-Program \\APPl\MyApp\AppSetup.exe 
-Parameters /Silent | 

Export-CSV Results.csv -NoTypelnformation 

Runs the command WAPPHMyApp 
\AppSetup.exe with the /Silent parameter 
on each of the computers listed in the file 
Computers.txt, and outputs the results to 
Results.csv.The task will start at midnight 
on 12/1/2011. 


* Although the commands wrap here, you'd enter them on one line in the PowerShell console. 


program's working directory. Note that 
if you're running a program on a remote 
computer, the working directory is relative 
to the remote computer, not the current 
computer. 

If you specify the -KeepTask param¬ 
eter, the scheduled task won't be marked 
to delete itself after it's scheduled to 
start. This parameter can be useful for 
troubleshooting. 

The -TaskCredential parameter speci¬ 
fies a PSCredential object. This set of cre¬ 
dentials will be used to start the scheduled 
task. If you don't specify this parameter, 
Start-Program.ps 1 will prompt you for cre¬ 
dentials. Due to the aforementioned limita¬ 
tion in Jt.exe, the username and password 
can't contain embedded double quotes. 

Start-Program.ps 1 supports Power- 
Shell's -Verbose common parameter. If 
you specify the -Verbose parameter, the 
script outputs the exact Jt.exe command 
line (excluding the password) and the 
output generated by Jt.exe. You can use 
the verbose output as needed to diagnose 
problems. 

Table 2 shows some sample com¬ 
mands to run Start-Program.ps 1. When 
you run it, the script creates the appropri¬ 
ate Jt.exe command using the information 


you supplied on the command line. Next, 
the script executes that command and 
captures Jt.exe's output strings, checking 
them for errors. Finally, the script outputs 
a PSObject object that contains the follow¬ 
ing properties: 

• ComputerName (the computer on 
which the task was scheduled) 

• TaskName (the scheduled task's name, 
which the script generates based on the 
program name and the date and time 
the task was scheduled) 

• StartTime (the date and time the task 
will run) 

• CommandLine (the program name and 
its arguments) 

• KeepTask (True or False, based on 
whether the -KeepTask parameter was 
specified) 

• Result (0 for success, non-zero 
hexadecimal code for error) 

Understanding the Security 
Implications 

Because Start-Program.psl uses Jt.exe, it's 
subject to that utility's limitations, which 
means there are a few security implications 
you need to know about: 

1. Although you can use Start- 
Program.ps 1 without typing passwords in 


clear text, the script still needs a clear-text 
copy of the password for the Jt.exe com¬ 
mand it runs. This means that a clear-text 
copy of the password is temporarily avail¬ 
able in memory while the script creates 
and executes the Jt.exe command. Thus, 
there's a remote possibility of password 
exposure if a rogue process has access 
to this memory or if Windows swaps the 
memory to disk. 

2. On Vista/Server 2008 or later, 

Jt.exe will create the scheduled task at 
the same integrity level on the current 
computer as the process that created it. 

In other words, if you run Start-Program 
.psl from an elevated PowerShell ses¬ 
sion, Jt.exe will create the scheduled 
task to run elevated. However, if you run 
Start-Program.psl from a non-elevated 
PowerShell session, Jt.exe won't create 
the scheduled task to run elevated. This 
caveat applies only to scheduling tasks 
on the current computer. If you're run¬ 
ning a non-elevated PowerShell session 
but you're logged on using an account 
that's a member of the Administrators 
group on a remote computer, the task 
will run elevated. 

3. The program you run won't be 
visible on the remote computer, so it 
needs to be a program that can run 
silently and complete without user 
interaction. 

Flexibility Without Complexity 

Using the Task Scheduler service is a good 
way to run programs on remote computers, 
but the Jt.exe program is complex and not 
secure because it requires a password on 
its command line. Start-Program.psl man¬ 
ages the tool's complexity, minimizes the 
security risk, and provides an easy-to-use 
and flexible way to run a program on one 
or more computers. ^ 
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M ost systems administrators have the same enthusiasm for scripting that my nine- 
year-old son has for a tetanus injection. Sure, IT pros love the idea of automating 
as many processes as possible. But when they're actually sitting in front of the Win¬ 
dows PowerShell ISE and must write something that takes more than a few lines 
of code, the excitement wanes and they quickly find something that they're more 
passionate about—like reading every entry in the event logs. 

This is unfortunate, because if there's one inevitable progression in the systems administration 
profession, it's that as time goes by, smaller numbers of IT pros are required to manage and monitor 
larger numbers of systems. IT pros who aren't good at automating complex systems administration 
tasks are going to be less competitive in the job market than IT pros who embrace automation tech¬ 
nologies. The ability to rapidly automate common tasks is becoming crucial. 

Microsoft System Center Orchestrator 2012 simplifies the process of automating systems admin¬ 
istration tasks. Originally a third-party product named Opalis, which Microsoft acquired in 2009, 
Orchestrator provides a simplified way of building complex automation. Rather than writing several 
lines of PowerShell code to determine whether a specific alert has popped up in the Windows event 
log, you can use Orchestrator's canvas, on which you can drop an item that relates to event monitor¬ 
ing, configure that item to flag a specific alert, and then connect the item to another item that takes a 
specific action in relation to that work. Instead of several lines of what sometimes seems to be arcane 
PowerShell code, you can accomplish the same tasks by using a drag-and-drop process that might 
take you all of 30 seconds. 

Orchestrator is a complete solution that goes beyond basic automation. You can configure 
Orchestrator runbooks to be triggered according to event logs or, more usefully, Microsoft Systems 
Center Operations Manager alerts. Rather than waiting for an end user to notice that a service has 
become unavailable or having a member of the support team raise a job according to an Ops Manager 
alert, you can automate the process entirely through the use of an Orchestrator runbook that is trig¬ 
gered by an alert, raises a job in the job-tracking system, runs a complex operation to resolve the issue 
that triggered the alert, adds information to the job in the job-tracking system, and then closes that 
job. The alert is resolved, the job is logged and closed, and everything is completed without direct 
human intervention. 

Although not all the alerts that Ops Manager raises can be resolved through automation, many 
items have a specific process that, when followed, resolves the issue. It you can come up with a 
procedure to resolve a specific known problem, then you can come up with a way to automate that 
resolution. 

To better understand Orchestrator, you need to understand the concepts of Activities, Runbooks, 
Data Bus, and Integration Packs. 
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Activities 

Orchestrator uses a GUI-based approach 
to creating automations. The items that 
you work with when you create these auto¬ 
mations are known as activities. You use 
the runbook designer to drag and arrange 
activities, linking them together in a logical 
order, letting them branch by using decision 
logic. The two basic types of activities are 
monitoring activities and action activities: 

• A monitoring activity is invoked from 
an external source and used to start 
runbooks. For example, a monitoring 
activity might be triggered by a specific 
Ops Manager alert. 

• Action activities are invoked by other 
activities and carry out specified 
procedures—anything from ending 

a process, running a Microsoft .NET 
script, or restarting a service to using 
System Center Configuration Manager 
(SCCM) to deploy a software update, 
using System Center Virtual Machine 
Manager (VMM) to create a virtual 
machine (VM), or updating a System 
Center Service Manager (SCSM) job. 

Runbooks 

A runboolc is a collection of activities that 
are joined together in a logical manner. The 
runbook that Figure 1 shows uses System 
Center Data Protection Manager (DPM) to 
add all protectable data sources on a speci¬ 
fied server, including volumes, system state 
data, and databases, to a DPM protection 
group. After these data sources have been 
added to the group, the runbook triggers 
the creation of a recovery point. 

In the sample runbook, the only inputs 
that you need to specify are the target server 
and the target protection group. Runbooks 
can be executed from the Orchestration 
console, a Microsoft Silverlight-based web 
application that runs on the Orchestrator 
Runbook server. Although this task is rela¬ 
tively simple, manually configuring this 
type of DPM protection would involve 
using Remote Desktop Connection to con¬ 
nect to a specific DPM server, running 
the DPM console (which cannot be run 
remotely in DPM 2010), and then stepping 
through a wizard to configure protection. 
But after you have the runbook configured, 
you can accomplish the same task simply 
by entering the server name and the data 
protection group name into a single web 


dialog box. A task that would take an IT pro 
5 minutes or more to complete manually 
can now be completed automatically, in 
the time it takes to load the Orchestration 
console. 

Data Bus 

The data bus holds all the execution data 
from all the objects within the runbook 
and allows you to pass information from 
one activity to another. For example, your 
first activity might be to monitor an Ops 
Manager alert that is based on the failure of 
a particular service. The information about 
which service has failed is put on the bus so 
that later tasks, such as checking the service 
status and then triggering a service restart, 
can use that information. Eater in this 
article, you'll learn how to use the data bus 
to take output from a command-line utility 
and append it to the end of a text file. 

Integration Packs 

Integration packs are collections of activi¬ 
ties that relate to a specific product. For 
example, in Orchestrator 2012, the integra¬ 
tion packs for all the other System Center 
2012 products will be released. Because 
Orchestrator was originally a third-party 
product, integration packs 
are available for non-Micro¬ 
soft products, such as CA 
Technologies Service Desk; 

HP Operations for UNIX, 

Windows, and Solaris; HP 
Service Desk; IBM Tivoli 
Enterprise Console; and 
VMware Infrastruture and 
vSphere. 

You don't need an 
integration pack to use 
Orchestrator with a par¬ 
ticular product. If no inte¬ 
gration pack is available 
from the vendor, you can 
use an Orchestrator foun¬ 
dation object to perform 
activities, including Run 
Program, Query Database, 

Run SSH Command, Query 
WMI, Invoke Web Services, 

Run .NET Script, and Get/ 
Monitor/Create SNMP 
Trap. 

All these items can be 
used to connect generically 


to a system. What you can accomplish from 
that point depends on what's available in 
the product that you're attempting to auto¬ 
mate. Orchestrator ships with a tool known 
as the Quick Integration Kit (QIK). The QIK 
is an SDK that allows you to create your 
own activities and integration packs, using 
a product's own command-line utilities or 
PowerShell cmdlets. The QIK is increas¬ 
ingly being used to generate community- 
based integration packs. 

Orchestration Console 

The Orchestration console allows you to 
view the real-time status of runbooks, as 
well as to start or stop runbooks. You can 
use the Orchestration console as a way of 
allowing other IT pros to execute runbooks. 
For example, you can create a runbook 
that uses the DPM integration pack to 
create a backup snapshot of a particular 
data source. You can then make this run¬ 
book available through the Orchestration 
console, as Figure 2 shows. Users, such as 
developers who are working on a database, 
can use the console to trigger a backup 
snapshot before they make a change to the 
database. The Orchestration console com¬ 
ponent is also used by SCSM 2012 as a way 



Figure 1: Example of a runbook 



Figure 2: Using the Orchestration console 
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of triggering runbooks. SCSM allows you to 
create a more feature-complete self-service 
portal in which users can submit requests 
that trigger Orchestrator runbooks either 
directly or after the runbooks have been 
approved through an appropriate approval 
process. 

System Requirements 

All Orchestrator components can run on 
Windows Server 2008 R2. Orchestrator 
requires 1GB of RAM (although 2GB is 
recommended), 200MB of disk space, and 
a dual-core CPU or better. Like the other 
System Center 2012 products, Orchestrator 
can be run within a VM. The Runbook 
Designer and Runbook Tester can also be 
run on Windows 7 Enterprise or Ultimate 
Edition. 

Orchestrator requires access to a SQL 
Server 2008 R2 database to store con¬ 
figuration data. You'll also need to install 
Microsoft .NET Framework 4 and Silverlight 
4 for the Orchestration console. 

Creating a Basic Runbook 

Throughout this article, you've learned 
about how you can use Orchestrator to 
automate even the simplest tasks. To 
further elaborate, let's look at how you'd 
use Orchestrator to do something simple, 
such as outputting a list of tasks that 
are running on a computer to a text file 
named tasks.txt. The idea behind this 
basic runbook is to give you an idea of 
the actual process and simplicity that are 
involved in automating this task. Follow 
these steps: 

1. Create a blank text file, named 
tasks.txt, in the c:\temp directory of 
the server on which you've installed 
Orchestrator. 

2. Open the Orchestrator Runbook 
Designer. In the Menu pane, right-click 
Runbooks, click New, and then click 
Runbook. 

3. In the Activities pane, open the 
System area and drag the Run Program 
item onto the Runbook Designer work¬ 
space. When prompted whether you 
want to check out the runbook, click 
Yes. 

4. Click the Text File Management 
area. Drag the Append Line task onto the 
Runbook Designer workspace, next to the 
Run Program item. 



Figure 3: Append Line Properties dialog box 



Figure 4: Using a runbook to automate SCSM alert resolution 


5. Hover the mouse 
over the first Run Program 
item. Click the arrow that 
appears on the right-hand 
side of the item and drag it 
on top of the Append Line 
item. 

6. Double-click the 
Run Program item. In 
the Program Path text 
box, enter c:\windows\ 
system32\tasklist.exe. 

Click Finish. 

7. Double-click the 
Append Line item. In the 
File text box, enter c:\ 
temp\tasks.txt. 

8. Click the dots, and 
then select the ASCII file 
encoding option. 

9. Right-click the 
Append text box, click 
Subscribe, and then click 
Returned Data. 

10. In the Returned 
Data text box, click Pure 
Output, and then click OK. 

Verify that the Append Line Properties 
dialog box looks like the one in Figure 3, 
and then click Finish. 

To execute the task, click Runbook 
Tester, and then click Run. Open the tasks 
.txt file to verify that the task list informa¬ 
tion has been appended to that file. 

Orchestrator: The Glue in the 
System Center Suite 

You’re most likely to find Orchestrator 
immediately useful for integrating all the 
components of the System Center suite. 
Although you can resolve basic alerts by 
using Ops Manager's existing functionality, 
you can configure Orchestrator runbooks 
as a more sophisticated way of resolving 
Ops Manager alerts. 

You've learned that you can use 
Orchestrator to build a runbook that is 
triggered by an Ops Manager alert. But you 
can go further. For example, you can have 
the runbook use SCSM to log a job on the 
job-tracking system; automatically resolve 
the issue that triggered the alert by running 
a job in DPM, VMM, or SCCM; have the 
runbook perform a test to verify that the 
issue that triggered the original alert has 


been resolved; and then have the runbook 
update and close the job in SCSM. Figure 4 
shows a runbook that automatically reme¬ 
diates service-related problems, logging 
steps as necessary within SCSM. 

You can go further with Orchestrator 
and use it to improve your organization's 
internal processes. For example, by lever¬ 
aging the DPM integration pack, you can 
have SCSM trigger an automatic backup 
snapshot when an IT pro begins to imple¬ 
ment a change request. Similarly, you can 
use integration between SCSM, SCCM, and 
Orchestrator to simplify the provisioning of 
new user desktops. Just set things up so that 
the requirements for the new desktops are 
placed into the system through an SCSM 
web form, with Orchestrator operational¬ 
izing those requirements into the appropri¬ 
ate OS and application deployment tasks in 
SCCM. # 
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F or name recognition, it's hard to beat Microsoft Outlook. As soon as you say those two 
words, a large percentage of computer users immediately know what you're talking about. 
With the release of Microsoft Office for Mac2011, Microsoft rewrote the Apple Macintosh- 
based Microsoft Entourage email and calendar client and renamed it Outlook for Mac 
2011. This change represents both a radical departure from previous versions of Entourage 
and Outlook's return to the Mac. 

Years ago, Microsoft had an Outlook client for the Mac. That client used Messaging API (MAPI), but 
it was slow, buggy, not especially Mac-like, and feature-poor when compared with its Windows sibling. 
Microsoft replaced it with Entourage, and that was that. However, Entourage has long lacked many 
features that cross-platform users want, including compatibility with PST files, support for server-side 
rules, and numerous minor Outlook features. Outlook for Mac 2011 is Microsoft's attempt to bring its 
two Outlook clients closer to feature parity, as well as a competitive response against Apple's built-in 
email and calendar applications. 


Meet the 
renamed and 
revamped 
Microsoft email 
client for Mac 
users 

by Paul Robichaux 


A Brief History of Outlook 

The current version of Outlook for Mac is the direct descendant of Entourage, a personal information 
manager and email client that made its debut years ago in Office for Mac 2001. The original versions 
of Entourage used WWW Distributed Authoring and Versioning (WebDAV) for Microsoft Exchange 
Server support. When Microsoft announced that Microsoft Exchange Server 2010 would no longer 
support WebDAV, the Microsoft Macintosh Business Unit (known informally as MacBU) built a ver¬ 
sion of Entourage that used Exchange Web Services (EWS) instead of WebDAV. However, this change 
put companies with mixed Exchange Server 2003 and Exchange 2010 environments in a tough spot: 
Entourage 2008 Web Services Edition couldn't talk to Exchange 2003, and "regular" Entourage 2008 
couldn't talk to Exchange 2010. 

This situation continues with Outlook for Mac 2011, in that it supports only EWS as a means to 
talk to Exchange, limiting its use to Exchange 2007 and Exchange 2010. (The client also supports POP 
and IMAP for use with consumer services such as Windows Live Mail and Google Gmail.) However, 
Microsoft needed to rewrite much of the core Entourage code to make it more compatible with mod¬ 
ern versions of Apple's OS and development tools. Outlook for Mac 2011 is the result. 

It is reasonable to think of this Outlook client as a combination of the network core of Entourage 
2008 Web Services Edition and a brand-new UI that attempts to blend elements of the Office 2010 
Fluent User Interface (Microsoft's official name for the Ribbon) with Mac OS X. But the Ribbon-style 
UI isn't the only thing that's new in Outlook for Mac 2011: 

• A single unified Inbox view automatically collects messages from each account that you've 
configured. You can search, filter, and sort messages in their individual accounts or all in the 
primary Inbox view. 
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• A new system for storing messages 
replaces the one monolithic database 
that Entourage used with individual 
message files. This approach is slightly 
less space-efficient but much easier 
for Apple's built-in Spotlight content 
indexing and Time Machine backup 
systems to handle. Plus, the new system 
eliminates the hassle of rebuilding 
corrupted Entourage databases. 

• This client provides support for 
reading and creating email that is 
protected with Active Directory Rights 
Management Services (AD RMS). 

• Outlook for Mac 2011 supports viewing 
and managing of server-side Exchange 
rules. (Entourage supported client-side 
rules, and Outlook for Mac does as well.) 

• The client includes support for 
importing Windows Outlook PST files, 
although Outlook for Mac doesn't 
support exporting data to PST files. 

The inability to deal with PST files 
has been a major hassle for mixed-OS 
organizations. 

A much-touted new features of Office for 
Mac 2011 is its support for Visual Basic for 
Applications (VBA). The Office for Mac 2011 
versions of Microsoft PowerPoint, Word, 
and Excel support VBA, but Outlook for 
Mac doesn't; you'll need to use AppleScript 
to automate and control Outlook. The 
AppleScript dictionary that’s defined in 
Outlook for Mac 2011 differs in many 
respects from that of Entourage, so plan on 
spending some time testing and revising 
your Entourage scripts. In general, Outlook 
for Mac has more automation support than 
Entourage did, but some object types (nota¬ 
bly public folders) aren't exposed in the 
dictionary and thus can't be automated. 

Other new features are less evident. For 
example, Outlook for Mac 2011 can update 
its account information after a cross-forest 
mailbox move, but you won't see that listed 
as a new feature. Other semi-hidden fea¬ 
tures include support for federated calendar 
and free/busy sharing, as well as the ability 
to display the relevant portion of your calen¬ 
dar inline within a meeting request. 

Perhaps the biggest feature in this cate¬ 
gory is the way Outlook for Mac 2011 stores 
messages. Entourage used one monolithic 
database to store messages, attachments, 
rules, and other metadata. If this database 
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became corrupted, it needed to be rebuilt 
or restored—often a time-consuming 
endeavor. For Exchange accounts, just 
throwing away a corrupted database and 
re-downloading messages from the server 
was generally no big deal, but in doing so 
you'd lose the local search index. 

Having one large database also made 
it more difficult for Microsoft to integrate 
Entourage with the built-in Spotlight search 
system. To solve this problem, Outlook 
for Mac 2011 uses a much smaller data¬ 
base, and individual messages (and their 
message metadata) are stored in indi¬ 
vidual files. This arrangement eliminates 
the problem of data loss caused by data¬ 
base corruption and makes searching for 
Outlook content by using the built-in tools 
or Spotlight gratifyingly quick. 

A Quick Tour of the Outlook 2011 Ul 

Figure 1 shows the Outlook for Mac main 
window. If you've ever seen Outlook 2007 
or Outlook 2010, this will be a familiar view. 
However, if you're used to Entourage, the 
appearance of the Ribbon might be a little 
confusing. At the top of the main window is 
an icon-only toolbar that gives you single¬ 
click access to commonly used commands. 
You can customize the commands that 
appear here. Immediately below this tool¬ 
bar is a row of tabs: Home, Organize, and 
Tools. The contents of the Ribbon below 
these tabs change as you switch between 
them. Most of the commands here are 
equivalent to items that used to appear 
in the Entourage toolbar; as in Windows 


Office, some Ribbon icons are pull-down 
menus, as indicated by a downward-point¬ 
ing triangle to the right of the icon. 

The same layout is used for message 
windows, although those windows have 
only one tab. The main Calendar, Contacts, 
and Tasks windows get the Ribbon treat¬ 
ment, as do the windows for individual 
items of each type. 

Apart from the Ribbon, most of the UI 
changes in Outlook for Mac are fairly subtle. 
The UI retains the familiar three-column 
view, although there are some changes in 
the folder list that occupies the left column. 
There's no way to reorder the accounts or 
folders that appear here, and Microsoft has 
decided to group them so that each account's 
related folders are together. For example, 
there's a single Drafts folder that shows 
you drafts from all defined accounts when 
selected. If you expand this folder, you see 
the individual Drafts folder for each account. 
After the grouped folders (Inbox, Drafts, 
Sent Items, and Deleted Items), separate 
per-account headings contain other fold¬ 
ers, including the Conversation History and 
Sync Issues folders. Although this arrange¬ 
ment might seem a bit confusing at first, 
individual folders are accessible through the 
Inbox folder, just as they are in Outlook for 
Windows. This design parallels the approach 
that Apple took in its Mail application, so it's 
familiar to most Mac users. 

Offline and Sync Behavior 

One long-running irritation in Entourage 
was its synchronization behavior when 



Figure 1: Outlook for Mac 2011 main window 
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used with Exchange. There was no way to 
control when or how it synchronized, and 
the Work Offline menu command often 
needed to be used to force disconnection 
and reconnection at unexpected times. 
Outlook for Mac's sync behavior is both 
considerably faster and much more robust 
than its predecessor. For example, when in 
offline mode, you're no longer prompted 
to go online and send the message each 
time you queue a message for sending. 
This prompt used to drive me absolutely 
crazy when working through email on long 
airplane flights. 

However, there's no way to take an 
individual account offline or to provide 
separate sync settings for individual 
accounts. Outlook for Mac 2011 also lacks 
the extensive controls for dial-up and the 
low-bandwidth connection control that are 
included (though rarely used) in Outlook 
for Windows. In general, Outlook for Mac 
2011 deals gracefully with changes or inter¬ 
ruption in network connectivity, and it 
does so without any of the balloons or error 
messages that are familiar to Windows 
Outlook users. An activity window tells you 
which synchronization operations are in 
progress, but it doesn't contain much detail 
on which folders or messages are being 
synchronized at any given time. 

Conversation Threading 

Conversation threading is a semi-new fea¬ 
ture in Outlook for Mac 2011; Entourage 
could sort messages by conversation, but 
only based on the text of the message sub¬ 
ject. If you're accustomed to the way that 
conversation threading works in Outlook 
Web App (OWA) 2010 or Outlook 2010, then 
you might be somewhat disappointed by 
the Outlook for Mac 2011 implementation. 
The feature still depends on the message 
subject line and doesn't use the conversa¬ 
tion headers that Exchange Server 2010 
adds. So if your correspondents change 
the subject line of a message, the thread 
appears to break. This behavior is par¬ 
ticularly annoying for threads that originate 
from systems such as Yahoo! Groups and 
Gmail, in which the mail transport system 
itself can (and often does) meddle with 
subject lines during normal operations. 

There have also been several bizarre 
bugs in conversation threading mode. 
One nice Outlook for Mac feature is the 


ability to switch to a view that shows only 
unread messages with a single keystroke 
(Cmd+Shift+O). However, in that mode, 
Outlook frequently loses track of how many 
messages are actually in a folder, and the 
selection behavior that’s used to move 
between messages in a thread is often 
inconsistent. Almost all these bugs appear 
to have been fixed in Office for Mac 2011 
Service Pack 2 (SP2). 

What's Missing 

There are two ways to categorize missing 
features in Outlook for Mac 2011: those 
which are present in Outlook 2010 for 
Windows and those that aren't. Microsoft 
never claimed that Outlook for Mac 2011 
is, or is intended to be, a feature-for-feature 
clone of Outlook 2010. Instead, it tried to 
pick the most-demanded features from 
Outlook for Windows while still preserving 
a Mac-like experience that is well-inte¬ 
grated with the rest of the Office for Mac 
suite. Still, some Outlook 2010 capabilities 
would be welcome in a future release: 

• Support for an inline player for 
Exchange Unified Messaging (UM) 
voicemail messages—Currently, UM 
messages appear as normal email 
messages with audio attachments; 
niceties such as the hyperlinks in 
Voice Mail Preview text that play the 
associated audio aren't supported. 
(Better yet would be if Outlook for Mac 
became a fully fledged UM client with 
support for Play on Phone and call¬ 
answering rules.) 

• Support for Outlook 2010 Quick Steps— 
This handy feature quickly builds 
simple message-handling automation 
and binds it to a single keystroke or 
mouse click. Outlook for Mac includes 
a Scripts menu in which you can put 
your own AppleScripts, which can be 
bound to keyboard clicks. But having 

a single unified set of controls and 
behaviors across both sets of clients 
would be an improvement. 

• Support for displaying MailTips— 
Entourage has long included the ability 
to display some metadata (e.g., "You 
replied to this message on...") in a 
MailTips-like interface, but Outlook 
for Mac doesn't consume the MailTips 
information that the Exchange Server 
2010 content-addressed storage 


(CAS) exposes. This feature would be 
relatively simple to add. 

• Integration with the Exchange Personal 
Archive feature—Personal Archives are 
accessible through OWA 2010, so Mac 
users still have full archive capability— 
just not in the same client. 

• Voting buttons—This commonly used 
Outlook for Windows feature still isn't 
supported on the Mac. This lack of 
support is a frequent complaint from 
cross-platform customers. 

In the category of non-Windows 
Outlook features from which Outlook for 
Mac could benefit, the biggest is probably 
performance. Outlook for Mac sometimes 
feels ponderous when launching or switch¬ 
ing modes; Apple's Mail.app feels much 
faster for many operations. In general, 
Outlook performance is significantly better 
than that of Entourage on similar hard¬ 
ware, but there are improvements yet to 
be made. 

In a few areas, Outlook could be better 
integrated with Mac OS X and Apple's other 
apps, and there are certainly additional 
opportunities to integrate Exchange fea¬ 
tures. Overall, though, the missing features 
are minor when compared with the stabil¬ 
ity and functionality improvements that 
Outlook for Mac delivers. 

A Bright Future 

Most users want a rich desktop client, and 
for Mac users in an Exchange environment, 
Outlook for Mac 2011 is it. None of the 
other available Mac OS X clients deliver 
the same combination of functionality and 
utility. Although the program has a few 
rough spots, Microsoft has fixed many of 
them in the first two service packs, and it's 
clear that Microsoft understands what Mac 
users with Exchange mailboxes want to see 
in a client. The future for Outlook on the 
Mac looks pretty bright. ^ 
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Get a pain-free 
introduction to 
the cloud 

by Michael Dragone 


T hese days in the IT world, everything is about the cloud. Cloud services, cloud security, 
private clouds, hybrid clouds—the list goes on. It's enough to make your head spin. But one 
company has been offering a variety of cloud services for more than five years. Amazon's 
cloud offerings, known as Amazon Web Services (AWS), exist in the Infrastructure as a 
Service (IaaS) category. When you work with AWS, you're responsible for managing and 
maintaining your own virtual machines (VMs), including the software that you choose to 
run on top of them. This is in contrast to companies such as Salesforce.com, which offers Software as 
a Service (SaaS), or Microsoft, which offers Windows Azure as a Platform as a Service (PaaS). 

Misconceptions surround AWS in the IT community. IT pros think AWS is a developer technology 
or that only VMs that run Linux can use the service. It doesn't help that many AWS-specific terms are 
confusing. What, for example, is Elastic Block Storage (EBS)? Fortunately, getting an AWS account and 
a Windows Server VM running on the service is straightforward and inexpensive. So let’s walk through 
the steps of creating such a VM and connecting to it via Microsoft Remote Desktop Protocol (RDP). 


Sign Up, Sign In 

The first thing you'll need is an AWS account. If you already have an Amazon.com account, you're 
practically there. Head over to aws.amazon.com and click the Sign Up Now button on the right side 
of the page. (If you don't already have an Amazon.com account, you can create one here.) Sign in 
with your Amazon.com email address and password, then complete the remaining sign-up steps. 

After you've signed up and signed in, you're presented with a rather stark dashboard, as Figure 1 
shows. The top tabs show the various services that AWS offers. Take some time and explore them all. 
Some have an additional Sign Up button that you can click if you want to enable that particular AWS 
service for use. There's no harm in enabling access to all these services: With AWS, you pay only for 
the resources that you're actually using. After you're familiar with the dashboard offerings, click the 
EC2 tab. This is where you'll create and work with your Windows Server VMs. 


Create an Instance 

To get your Windows Server VM going, click the Launch Instance button. This action brings up the 
Request Instances Wizard, in which you can select an Amazon Machine Image (AMI) to run. AMIs 
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Figure 2: Choosing an AMI 


Figure 1: A brand new AWS dashboard 


come from a variety of sources, includ¬ 
ing the AWS community and Amazon 
itself. You'll use the Microsoft Windows 
Server 2008 R2 Base AMI that's presented 
in the Quick Start tab, as Figure 2 shows. 
(Unfortunately, no Windows AMIs cur¬ 
rently qualify for the AWS free usage tier, 
which specifies the use of Linux. Still, for 
a quick test of the service, you'll be paying 
literally a few cents. For more information 
about AWS pricing, go to aws.amazon 
.com/ec2/pricing.) 

After you select the AMI image, the 
next screen of the wizard prompts you for 
details about the Elastic Compute Cloud 
(EC2) instance that you want to create. As 
Figure 3 shows, you need only one instance; 
the Availability Zone doesn't matter in this 
situation. I selected a large instance type to 
up the available RAM from 613MB to 7.5GB 
and add an additional CPU core. 

On this screen, you'll supply more 
details about the instance that you want. 
Here, you run into some of that confus¬ 
ing terminology. You don't need to select 
a particular Kernel ID or RAM Disk ID, 
but what are Termination Protection and 
Shutdown Behavior? 

In AWS parlance, when you select Shut 
Down from the Windows Start Menu, the 
EC2 instance can be stopped or termi¬ 
nated. Think of these options as "dormant" 
or "destroyed." You can restart a stopped 


instance at will. A terminated instance 
is destroyed and cannot be restarted, 
hence the Termination Protection check 
box for those who choose Terminate as a 
shutdown behavior. I want my instance to 
stop only when I select Shut Down, so I'm 
leaving the Shutdown Behavior default set 
to Stop. 

The next screen allows for user-speci¬ 
fied key-value pairs, to ease management. 
You don't need to define any of these, so 
simply move on. 

On the following screen, you need to 
create a key pair to gain access to the EC2 
instance. (The AMI that you selected has a 


default Administrator password. Of course, 
you don't know that password; if it was 
merely a default that anyone who used 
AWS knew, an attacker could connect to 
your newly launched EC2 instance before 
you could. 

So, you'll create a key pair that can be 
used to gain access to the Administrator 
password.) Type a name for your key pair, 
then click Create and Download Keypair. 
Save the resulting .pern file somewhere 
that's easy for you to access. The wiz¬ 
ard automatically moves on to the next 
screen. 

You now configure the firewall set¬ 
tings that are needed to gain access to 
whichever services you intend to run on 
the EC2 instance. Fortunately, the wizard 
offers to create a security group, called 
quick-start-1, that allows access from any 
IP address to RDP port 3389. This is exactly 
what you want for now, so click Continue 
to move on. 

As Figure 4 shows, the final screen 
presents a summary, to which you can 
make changes if needed. If everything 
is copasetic, click Launch. A message 
appears, stating that the instance is now 
launching and providing a link to view it 
on the Instances page. Click the link, and 
you'll see something similar to Figure 5. 
When the status of the instance is listed as 
running and displays a green orb, you're 
ready to connect via RDP. First, however, 
you need to obtain the IP address of the 
EC2 instance, and grab the Administrator 
password, by using the key pair that we 
created earlier. 
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Figure 4: Reviewing the instance 




Figure 6: Managing the instance 


Get Connected 

First, get the IP address. Select the check 
box to select the running instance, then 
scroll down in the lower window pane until 
you see the Public DNS field. This field con¬ 
tains the hostname that will resolve to the 
IP address that's currently assigned to your 
EC2 instance. Make a note of this address. 

Now you need to grab the Administrator 
password. Click the Instance Actions drop¬ 
down arrow to view the Instance 
Management menu, which Figure 6 shows. 
Select Get Windows Admin Password. A 
window will appear with the encrypted 
password. Paste the text from the .pern 
file that you downloaded earlier into the 
Private Key box, and then click Decrypt 
Password. You're presented with the 
decrypted password and the public DNS 
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Figure 7: Connecting through RDP 


name of the instance, as a reminder. Make 
a note of both pieces of information. 

You can now use RDP to connect to 
your EC2 instance. This step is as easy as 
launching Remote Desktop Connection 
and entering the public DNS name in 
the Connect To box. Log on using the 
Administrator account and the decrypted 
password, and you'll be in familiar terri¬ 
tory, as Figure 7 shows. Feel free to explore 
this real Windows Server VM! 

When you've finished, select Shut Down 
from the Start Menu. Now, take another 
look at the AWS dashboard. The instance 
status is now shown as stopped and dis¬ 
plays a red orb. You can restart the instance 
by selecting its check box and clicking the 
Launch Instance button. By default, the 
public DNS name of the instance doesn't 
survive across launches, so make sure that 
you note the new public DNS name when 
you relaunch the instance. 

Finally, you'll terminate the instance. 
Why not just leave it in the stopped state? 
Billing for AMI disk storage continues if the 
instance isn’t terminated. You don't want 
that for this tutorial, so select the instance, 
return to the Instance Management menu, 
and choose Terminate under Instance 
Actions. The status for the instance in the 
AWS dashboard changes to terminated, 
next to a red orb. The instance will soon 
disappear entirely from the dashboard. 

Just the Beginning 

This tutorial just scratches the surface of 
what you can do with Windows Server run¬ 
ning as an EC2 instance on AWS. The pos¬ 
sibilities include building your own AMIs, 
using a static IP address, and monitoring 
your instance so that you can be alerted if 
there are any problems. It's even possible, 
albeit with some configuration caveats, to 
run a Active Directory (AD) domain within 
EC2 instances. I encourage you not to fear 
the cloud—wade deeper into the AWS pool 
and experiment. ^ 
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hen I initially sat down to start this article, I quickly realized that you can't begin 
to troubleshoot performance issues until you have a sound baseline to start with. 
Otherwise, the likelihood of you figuring out what is going wrong in the environ¬ 
ment is extremely low. With this in mind, I decided to tackle this topic from a 
bit of a different perspective, examining what forms the base of a solid and well¬ 
performing Microsoft SharePoint 2010 farm and working backward from there. 

Performance is a tremendously broad topic when you're talking about SharePoint 2010. End users 
frequently have concerns such as "Saving that form took too long," or "It felt like it took forever for me 
to upload a file," or—my favorite—"SharePoint feels slow." As IT pros, we rarely get specifics when 
people complain about performance; they expect us to fix problems instantly without any details of 
what's really going on. 

But SharePoint user education is a topic for another day. This article focuses instead on some of the 
main areas that you can address to ensure that any bottlenecks users experience are not SharePoint- 
related and to give you that solid foundation I mentioned earlier. 


Start with a 
solid foundation 

by Jason 
Himmelstein 


Windows Server Hardware Sizing 

First, you'll want to make sure that the platform that supports SharePoint is sound. To do so, you need 
to correctly size your hardware to support the SharePoint tier that is being hosted. You'll also need to 
ensure that Windows Server has been optimized. 

Table 1 lists Microsoft's minimum hardware requirements for web servers and application serv¬ 
ers in a farm installation. Keep in mind that these are minimum recommendations and will serve 
up a minimal experience. If you want to optimize performance, these numbers are not going to be 
anywhere close to good enough. 

In most scenarios, web- and application-tier servers will experience CPU contention before RAM 
contention, but that will depend on your application-pool configuration. If you load 2GB into the appli¬ 
cation pools at startup—which you shouldn't be doing, but I've seen it happen in highly application 
development-focused scenarios—and you're running four app pools, then you've exhausted your RAM 
before a user even hits a page. For the optimal RAM profile, examine what your app pools will require, 
multiply that number by the number of app pools that you expect to have, and then add half again as 
much to ensure room for growth and the occasional application that doesn't dispose properly: 


(Required RAM) x (# of App Pools) x 1.5 = Proposed RAM Profile 


(For more information about application pools for SharePoint, review the Microsoft article 
"SharePoint Server 2010 capacity management: Software boundaries and limits" at technet 
.microsoft.com/en-us/library/cc262787.aspx.) 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


FEBRUARY 2012 47 








■ SHAREPOINT PERFORMANCE 


Table 1: Minimum Hardware Requirements for Web and App Servers in a Farm 


Developer or Evaluation 
Environments 

Single Server or Farm Production 
Environments 

CPU 

4 cores, 64-bit required 

4 cores, 64-bit required 


RAM 4GB 8GB 

Hard disk space 80GB 80GB 

Source : technet.microsoft.com/en-us/librarv/cc262485.aspx#section3 


Table 2: Minimum Hardware Requirements for SQL Servers in a Farm 


Small Farm 

Medium Farm 

Large Farm 

CPU 

4 cores, 64-bit 
required 

8 cores, 64-bit 
required 

As much as 2TB 
content database 

From 2TB to 5TB 
content database 

RAM 

8GB 

16GB 

32GB 

64GB 

Hard disk space 

80GB 

80GB 



Source: technet.microsoft.eom/en-us/library/cc262485.aspx#section3; technet.microsoft.com/en-us/library/ 

cc298801 .aspx#section4 


The proper CPU profile is going to 
rely primarily on your environment's bal¬ 
ance between virtualization and hardware. 
Microsoft Hyper-V Server 2008 R2 sup¬ 
ports as many as four cores per guest vir¬ 
tual machine (VM), and VMware vSphere 
Enterprise Plus supports as many as eight 
cores. If you need more than eight cores, 
then your path lies with physical servers. I 
believe in virtualization as a path because 
of the lower total cost of ownership (TCO) 
of the high availability and disaster recov¬ 
ery that it enables; however, each path 
has its own virtues. Whichever path you 
choose, a general performance rule is to 
keep your CPU utilization at less than 50 
percent per server. 

Hard disk space is a fairly straightfor¬ 
ward decision: 80GB is never going to be 
enough. Each web and application server 
will have its own Microsoft User Location 
Server (ULS), IIS, and event logs; copy of 
the 14 hive; and WinSxS directory. Add the 
need for a pagefile that doubles your RAM 
count and a desire to make sure that your 
server doesn't crash because you didn't 
have enough disk space. I recommend a 
minimum of 200GB per server—400GB 
if you can afford it. Rather than splitting 
drives into multiple partitions, keep a sin¬ 
gle, larger C partition to manage growth. 

SQL Server Hardware Sizing 

The SQL Server tier is the one in which 
you'll want to make your hardware invest¬ 
ment. If you don't give SQL Server enough 
horsepower, you're sunk before you leave 
port. CPU and RAM are both crucial to 
SQL Server performance, but be aware that 
SQL Server will chew up as much RAM as 


it can get its teeth into, regardless of load. 
In most cases, SQL Server takes RAM 
and never gives it back. CPU will trend 
up and down over time, but if you don't 
have enough cores across which to spread 
the load, you'll find yourself with pegged 
CPUs and a poorly performing SharePoint 
farm. Table 2 lists Microsoft's minimum 
hardware requirements for SQL Servers in 
a farm installation. 

When sizing SQL Server, always con¬ 
sider which services you can separate out. 

Correctly size 
your hardware 
to support the 
SharePoint tier that 
is being hosted. 

The minimum requirements refer spe¬ 
cifically to the relational database manage¬ 
ment system (RDBMS) engine, not taking 
into account any SQL Server Integration 
Services (SSIS), Reporting Services (SSRS), 
or Analysis Services (SSAS) needs that 
you might have. Separate these services 
onto their own hardware whenever pos¬ 
sible, and address their specific hardware 
requirements as well. 

Again, the minimum hardware require¬ 
ments quoted above are not overly practi¬ 
cal in real-world farms. Determine your 
high-availability and disaster-recovery 
requirements and figure out your needs 
for clustering versus mirroring before 
making your hardware purchase. When 
you have finished your analysis and are 
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ready to actually make a purchase, go 
for as large a hardware footprint as your 
budget will allow. (For performance infor¬ 
mation about SQL Server clustering, I rec¬ 
ommend the Microsoft article "Optimizing 
Failover Cluster Performance" at msdn 
.microsoft.com/en-us/library/msl90266 
.aspx. For performance information about 
SQL Server mirroring, read the Microsoft 
article "Database Mirroring Best Practices 
and Performance Considerations" at 
technet.microsoft.com/en-us/library/ 

cc917681.aspx.) 

In my experience, this approach has paid 
off more times than I can count. Each time 
I refresh a lease (usually every 3 to 4 years) 
or purchase a new SQL Server to replace an 
existing box, I can never remember saying, 
"Wow, that server was way over-powered 
for what it was meant to do." My usual state¬ 
ment is, "It's amazing that we managed to 
limp along on such a small box." 

SQL Server Performance 

There are many schools of thought as to 
how to make SQL Server perform at its best. 
For the sake of this article, we're going to 
isolate the discussion to specifically those 
areas that affect SharePoint. 

Pregrow your databases and set auto¬ 
matic growth parameters. Why are pre- 
growing databases and setting automatic 
growth parameters important? SQL Server 
is at its most efficient when it has a large 
block of contiguous space. 

One of the worst-performing base 
operations for SQL Server is its database 
growth operation. SQL Server goes out, 
finds available space on disk, and adds 
that space to the database. By default, this 
operation is set to grow by 1MB per opera¬ 
tion. When a content database is created, 
it has a 20MB data file and a 3MB log file. 
Creating a blank site takes up another 1MB 
of space, and the database is forced to 
grow. Uploading 2 PDFs (each just under 
3MB) causes the data file to grow to a 
total of 28MB and puts the log file at 5MB. 
That's just 11 grow operations to create 
a blank site with a document library and 
two uploaded PDFs. Imagine how many 
grow operations per day will occur on a 
production server with hundreds of col¬ 
laborating users. 

My general rule for estimating the start¬ 
ing size of the content database is first to get 
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Table 3: Output Showing Database Settings 

Type. 

Desc 

Name 

Physical_Name 

State 

Desc 

Size 

Max_ 

Size 

Growth 

ls_Percent_ 

Growth 


ROWS 

master 

C:\Program FilesWIicrosoft 
SQL Server\MSSQL\DATA\ 
master.mdf 

LOG 

mastlog 

C:\Program FilesWIicrosoft 
SQL Server\MSSQL\DATA\ 
master.ldf 

ROWS 

model 

C:\Program FilesWIicrosoft 
SQL Server\MSSQL\DATA\ 
model.mdf 

LOG 

modellog 

C:\Program Files\ 


Microsoft SQL Server\ 
MSSQL\DATA\model.ldf 


ls_Percent_Growth: 0=no 1 =yes; 

Growth - 1, Growth = % 

an estimate from your business analysts (or 
by examining your trend data) and then to 
double that estimate. If you think you'll need 
20GB, grow your database to 40GB to ensure 
contiguous space. Fibre Channel and Serial 
ATA (SATA) disks are relatively inexpensive 
these days, and unless you're using enter¬ 
prise flash disks (which I typically wouldn't 
use for content databases), you can get 
numerous high-capacity spindles for a fairly 
low price. Do stay beneath the recom¬ 
mended size of 200GB whenever possible. 

Make sure to set the autogrow setting 
from 1MB to something reasonable. I set 
autogrow by 500MB to 1GB, depending 
upon the importance and purpose of the 
content database. Why not set the autogrow 
to a variable, as the product allows? The 
answer is large databases. If you have a 1TB 
database and set it to autogrow to 10 percent, 
you're going to grow that database 500GB 
and the user is going to wait while it grows. If 
you set autogrow to 500MB, users will notice 
but not be seriously inconvenienced. 

If variable auto growth still needs to be a 
part of your maintenance strategy, consider 
these points: 


Online 512 -1 10 1 

Online 128-1 10 1 

Online 256 -1 128 0 

Online 128 -1 64 0 


• Set standard autogrow to somewhere 
between 500MB to 1GB. 

• Create a daily maintenance job to 
check for the amount of free space in 
your database. 

• If the amount of free space is less than 
10 percent, then grow free space at a 
scheduled time when users will not be 
affected. 

Validating and documenting settings 
can be a bit of an accountability nightmare, 
but this is where T-SQL can help. You can 
use the query in Listing 1 to identify your 
database settings so you don't need to 
make a manual account. Table 3 shows an 
example of the listing's output. 

Know your I/O requirements. SQL 
Server databases consist of at least one 
data file and one log file, but you can create 
supplemental data files to spread out the 
workload. We're going to assume a mini¬ 
mum configuration for this article. 

As a general rule, the log files in SQL 
Server are high-intensity write, whereas 
the data files can be a healthy mix of both 
read and write. Based on this generality, 


the databases that SharePoint uses (other 
than TempDB, which is dominantly write- 
intensive) are generally readYwrite in nature. 
You can set up archival content databases 
that house read-only site collections, but the 
real power of SharePoint is in its collabora¬ 
tion functionality, which by its nature needs 
both read and write elements. 

Why is this knowledge vital? Data stor¬ 
age requires redundancy, and the core of 
this redundancy is RAID technology. The 
performance of your databases can be 
severely affected by the RAID level that 
is applied to the storage on which your 
databases resides, most specifically your 
write-intensive databases. The two most 
commonly used RAID levels for database 
storage are RAID 5 and RAID 10. 

The performance difference between 
RAID 5 and RAID 10 is all about writes. 
In RAID 5, data is written to each spindle 
for each block of data, whereas in RAID 
10, the data is written perceptibly only 
one time. (Background processing to the 
mirror drive occurs but does not affect the 
user's perceived performance.) The RAID 
5 phenomenon is commonly referred to 
as the RAID penalty or write amplifica¬ 
tion. As a result, it is highly suggested that 
log files, TempDB, and any databases that 
you expect to be write-intensive live on 
RAID 10. Table 4 shows a quick chart of 
recommendations. 

The difficult decision regarding I/O is 
cost versus return. RAID 10 is extremely 
storage inefficient and costly but provides 
the best possible performance and redun¬ 
dancy. RAID 5 is storage efficient and pro¬ 
vides redundancy, but you'll contend with 
a performance hit. The best answer is to do 
what is best for your business, providing a 
healthy balance. If your department budget 
is $100k per year, you aren't going to be 
able to afford a SAN with enough storage 
to put everything on a separate RAID 10 
and implement enterprise flash disks. Do 
the most you can with the budget you have 
(and scrape and plead for more any chance 
you get). 

SharePoint Web Server Load Testing 

Load testing is an often overlooked and 
highly disregarded art when it comes to 
SharePoint. We all plan to test for loads, 
but it seems rare that anyone actually 
takes the time to do so. There are several 


Where ls_Percent_Growth = 0, Growth^ MB; Where ls_Percent_ 
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Table 4: Recommended RAID and Optimization Settings 


DB Files 

RAID Level 

Optimization 1 

TempDB data 

10 

Write 

TempDB logs 

10 

Write 

ContentDB data 

10 

Read/Write 

ContentDB logs 

10 

Write 

Crawl DB logs 

10 

Write 

Crawl DB data 

10 

Read/Write 

Property DB logs 

10 

Write 

Property DB data 

10 

Write 

Services DB logs 

10 

Write 

Services DB data 

5/10 

Read/Write 

Archive content database 

5 

Read 

Publishing site content database 

5 

Read 


simple (as well as many more-complex) 
tools that allow you to load-test your 
environment: 

• Microsoft Load Testing Kit (LTK) for 
SharePoint Foundation 2010 at technet 
.microsoft.com/en-us/library/ff823731 

.aspx 

• Microsoft Web Capacity Analysis Tool 
(WCat) at www.iis.net/community/ 
default. aspx?tabid=34&g=6&i=1466 

• HP LoadRunner at www8.hp.com/us/ 
en/software/software-product 

.html?compURI=tcm:245-935779 


A recent load test example. Looking at 
your web servers, you need to examine the 
number of concurrent users that you're 
going to expect to have and measure that 
number against what your hardware and 
VM can manage. A recent load test that I 
performed showed these results: 

• Two SharePoint web servers (four 
cores, 16GB RAM), using load 
balancing 

• One SharePoint application Server 
(four cores, 16GB RAM) 

• One SQL Server instance (16 cores, 
128GB RAM) 

When performing a simple Create, Read, 
Update, and Delete operation in a standard 
SharePoint list, the system became com¬ 
pletely non-responsive at 500 concurrent 
users. This minor field test simply logged 
a user in, created a list item, added text to 
the item, saved the item, deleted the item, 
and logged the user out. Watching this test 
on the server side, we found that we were 
immediately CPU-bound. 
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As a result of this test, we determined 
that adding CPUs to the servers or adding 
web servers to the farm and load balance 
would allow us to gain the additional 
concurrent user count that we expected, 
thereby satisfying customer requirements. 
These are the issues that simply knowing 
your infrastructure requirements can help 
to alleviate. 

Load balancing in your SharePoint 
application tier. In SharePoint 2010, 

Many SharePoint 
issues can be 
avoided by properly 
sizing your hardware 
and supporting 
applications. 

Microsoft seems to have done a good job 
with a simple feature called the Service 
Application Load Balancer. This feature 
serves round-robin requests to all listening 
service applications that can respond to a 
given request. Therefore, if a user is hitting 
web application A and making a request 
for Microsoft Excel Services, and you have 
three application servers that are scoped 
to listen for requests on web application A, 
then SharePoint passes the request to the 
next application server in line to respond. 
And what manner of configuration must 
you, the much beleaguered and weary 
admin, complete to enable this magic? 
Not a thing. Simply add in the Service 


Application Load Balancer and allow the 
proxy to do the work. 

In all seriousness, this feature looks 
in the configuration database, builds a 
cached list of available service applications, 
determines which endpoints are available 
to process the request, and then hands off 
said request. This process enables not only 
load balancing, but fault tolerance as well. 
If an endpoint is unreachable, the proxy 
drops that endpoint from the rotation for 10 
minutes (the default setting, which is con¬ 
figurable), after which it tries to reach the 
endpoint again. In a multi-farm environ¬ 
ment, the Topology web service handles 
the discovery and loads the information 
into the local configuration database, with 
the endpoints being treated as though they 
were in the local farm. 

Numerous Causes 

Any number of factors can contribute to 
SharePoint users' perceived performance 
issues. In some cases, these factors are com¬ 
pletely out of your control or have nothing 
to do with SharePoint. Not to mention that 
users don't generally think about the size of 
the operations that they execute. That user 
who had trouble uploading a file isn't going 
to tell you that the file was 220MB or that 
they were communicating with the server 
via a slow hotel connection over SSL VPN. 
But in many situations, SharePoint issues 
can be avoided simply by carefully evaluat¬ 
ing and properly sizing your hardware and 
supporting applications, before users get 
anywhere near SharePoint. 

Along with the performance solutions 
that I discussed in this article, a few other 
simple tools and features can go a long way 
toward troubleshooting many SharePoint 
issues. See the web sidebar "SharePoint 
Troubleshooting: A Little Data Goes a 
Long Way," InstantDoc ID 141674, for more 
information. ^ 
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NEW & IMPROVED ■ 

■ STEALTHbits ■ Network Automation 

■ A10 Networks ■ Paessler 


Network Automation Launches 
AutoMate 9 

Network Automation has released its 
latest automation software solutions, 
AutoMate 9 and AutoMate BPA Server 9. 
The release marks the expansion of the 
no-code platform's enhanced offerings, 
including fully enabled cloud-storage 
automation via Microsoft's Azure Storage 
Services; automation of a wide range of 
entity data management activities within 
the Microsoft Dynamics CRM software, 
including creation, deletion, updating, 
query, retrieval, storage, and reporting of 
all customer, product, and order data; and 
automation of optical character recogni¬ 
tion (OCR), converting multiple text format 

AutoMate 9 


documents into stored data, covering 
formats such as PDF, TIFF, JPEG, BMP, and 
GIF. AutoMate 9 builds upon the Unicode 
compliance released with AutoMate 8 to 
include six new languages. AutoMate 9 is 
currently available for purchase at www 
.networkautomation.com. 

Meta Vis Offers Google-to- 
SharePoint Migration 

MetaVis Technologies announced a 
solution for migrating Google Apps to 
SharePoint or Office 365. MetaVis Migrator 
for Google Apps allows customers to 
migrate Google content to either a hosted 
or on-premises SharePoint solution while 
preserving valuable metadata required 
for compliance and governance policies. 
MetaVis Migrator for Google Apps migrates 
all content, including version history 



TECHNOLOGIES 
Organize your SharePoint 


and ownership. Users can classify and 
organize Google content as they migrate. 

IT administrators can quickly map Google 
Document properties such as published, 
created, and modified dates to SharePoint 
fields. With the MetaVis Migrator product 
lineup, you can migrate content from mul¬ 
tiple sources, including SharePoint 2010/ 
2007/2003, file shares, Exchange Server 
Public Folders, Outlook Folders, and now 
Google. Download a free trial of MetaVis 
Migrator for Google Apps a t www 
.metavistech.com/product/ 
metavis-miqrator-qooqle-apps. 

iWave Software Debuts iWave 
Storage Director 

iWave Software introduced iWave Storage 
Director 1.5, a storage automation platform 
for companies to develop and operate 
cloud-based storage services on demand 
using their existing storage infrastructures. 
By automating the tasks associated with 
provisioning, reclamation, and remedia¬ 
tion for storage, iWave Software closes the 
gap between rapidly expanding storage 
requirements and a lack of available and 
affordable IT resources. iWave Storage 
Director lowers storage operating costs 
by supporting more storage with fewer 
administrators; reduces storage outages by 
ensuring that best practices are automati¬ 
cally followed; reduces unnecessary storage 
expenditures by identifying and reclaiming 
unused storage; and improves end-user sat¬ 
isfaction by reducing the time to provision 
new storage from weeks to hours. For more 
information, visit www.iwavesoftware.com. 

A10 Networks Introduces New 
AX Series Application Delivery 
Controllers 

A10 Networks unveiled three new 
models—the AX 1030, the AX 3030, and 


PRODUCT 


STEALTHbits Introduces Free Data Loss 
Prevention Tool 


STEALTHbits Technologies announced 
the release of StealthTOOLS DLP Lite for 
File Systems, a free Data Loss Prevention 
(DLP) tool that helps you proactively 
identify high-risk, unsecured content 
on your networks to mitigate the risk 
of data leakage and theft. The freeware 
solution is a high-efficiency, file-level 
content-scanning tool that gives you 
greater visibility into your data. By 
identifying sensitive and proprietary 
content that is unprotected or acces¬ 
sible by a large number of people, you 
can improve your data protection and 
security strategies 
through proactive 
analysis of shared 
and personal file 

\ \ U L i J f I repositories to dra- 
LITE matically reduce 
risk. DLP Lite for 
File Systems is 


easy to install, thanks to its simple install 
wizard; flexible, thanks to the ability to 
modify preconfigured expressions to 
suit specific requirements, use expres¬ 
sions found on the web, or create 
unique expressions from scratch to 
search for virtually any file condition; 
and powerful, thanks to DLP Lite's scop¬ 
ing options, wild-carding, and exception 
handling. The product provides granular 
search and output control, and condi¬ 
tion-context features drastically reduce 
false positives by providing text samples 
found both before and after condition 
matches. Its powerful data pivoting and 
filtration features make it easy to narrow 
down search results or export directly 
to Microsoft Excel for more advanced 
analysis requirements. DLP Lite for File 
Systems is available for download imme¬ 
diately from the STEALTHbits website 
(www.stea Ith bits.com/free/d I pi ite). 
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the AX 5200-11—in its flagship AX Series 
Application Delivery Controller (ADC) 
family, delivering high performance and 
providing comprehensive application- 
focused capabilities for server load 
balancing, IPv6 migration, and virtualiza¬ 
tion projects. The new AX Series models 
offer faster performance, increased energy 
efficiency, and greater value across all price 
ranges and form factors. The new AX Series 
models include AlO's innovative 64-bit 
Advanced Core Operating System (ACOS) 
with a scalable shared memory parallelism 
architecture that leaps the competition 
in scalability and flexibility. All AX Series 
platforms are dual-stack ready. For more 
information, visit www.alOnetworks.com. 

VirtualSharp Software Unveils 
ReliableDR 3.0 

VirtualSharp Software announced the 
newest release of its flagship product, 
ReliableDR 3.0, which offers a new way 
to address disaster recovery through 
process orchestration across data centers. 
VirtualSharp's technology was field-devel¬ 
oped based upon needs of early adopters 
of VMware virtualization and cloud tech¬ 
nologies in the 2006-to-2008 timeframe. 
With ReliableDR 3.0, VirtualSharp delivers 
an integrated, vertical disaster recovery 
solution across the IT stack, from storage 
to application, that can be delivered for 
cloud environments using a zero-footprint, 
self-service architecture. Customers will be 
able to take advantage of the economies 
of scale provided by the cloud by sharing 
disaster recovery testing resources, without 



needing dedicated infrastructure. Hosters 
will be able to provide a low-monthly- 
cost solution that not only replicates and 
secures data to the cloud, but more impor¬ 
tantly certifies recoverability and ensures 
time to service in case of failover. For more 
information, visit www.virtualsharp.com. 

Paessler Brings Network 
Monitoring to Your iOS Device 

Paessler AG announced the availability of 
iPRTG v3.0, the latest version of the mobile 
monitoring app for its PRTG network 
monitoring solution. iPRTG lets you keep 
a watchful eye on your networks, and 
remotely manage network monitoring 
tasks, regardless of time or location, by 
pulling data directly from the PRTG server 
and displaying it on your Apple iPhone, 
iPad, or iPod touch. Paessler's flagship 
product, PRTG Network Monitor, is a robust 
solution designed to make network moni¬ 
toring on virtually any scale easy, efficient, 
and flexible. PRTG provides continuous 
monitoring of LANs, WANs, servers, web¬ 
sites, appliances, URLs, and more, letting 
you find problems and resolve them before 
they escalate. iPRTG puts these capabilities 
in the palm of your hand. To learn more, 
visit www.paessler.com/apps/iprtg. ^ 



PROS: Beautiful screen and performance; 
excellent online services integration 

CONS: Lackluster storage 

RATING: ♦♦♦♦O 

RECOMMENDATION: Kindle Fire costs 
$199, less than one third the cost of a mid¬ 
level Apple iPad, but it does virtually every¬ 
thing important that the iPad does. However, 
you're implicitly accepting a future of almost 
purely Amazon content purchases. Plus its 
storage is 8GB. But it's only $199! 

CONTACT: Amazon • www.amazon.com 

DISCUSSION: www.winsupersite.com/ 
artide/mobile-computing-devices/amazon- 
kindle-fire-141379 

Amazon Kindle Touch 

PROS: E-ink screen; 3G option; stellar 
battery life 

CONS: Terrible touch-screen interface; 
power button is triggered inadvertently 

RATING: ♦♦<>C> < C> 

RECOMMENDATION: Kindle Touch offers 
a superior e-ink screen and an affordable 
small, light form factor. But its touch Ul is 
non-intuitive and nondiscoverable, and the 
power button is easily triggered by mistake. 

CONTACT: Amazon • www.amazon.com 

DISCUSSION: www.winsupersite.com/ 

artide/mobile-computing-devices/amazon- 

kindle-touch-141348 

Amazon Kindle (Base Model, 
Late 2011) 

PROS: E-ink screen; superior navigation 
buttons; thin form factor; low price; stellar 
battery life 

CONS: No 3G option 

RATING: ♦♦♦♦O 

RECOMMENDATION: The base Kindle 
is nearly perfect for reading, with a superb 
e-ink screen, the smallest and thinnest-ever 
Kindle form factor. If you care about reading, 
go with this device. 

CONTACT: Amazon • www.amazon.com 

DISCUSSION: www.winsupersite.com/ 
artide/mobile-computing-devices/amazon- 
kindle-2011-141358 
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Virsto for VDI, Hyper-V Edition 


Hyper-V, the Windows Server 2008 R2 
hypervisor, is a versatile product that can 
be used to virtualize data centers and 
desktops, and everything in-between. If 
you use Hyper-V heavily, you might find 
yourself scratching your head, wondering 
why your virtual machines (VMs) don't 
seem snappier, especially considering the 
powerful multiprocessor systems you use 
and the extra RAM and fast disk subsys¬ 
tems you installed. To be fair, this isn't a 
problem experienced by Hyper-V alone. It's 
experienced by most software hypervisors 
because they use the underlying OS's disk 
I/O subsystems, which is where most per¬ 
formance problems lie. Most OSs'disk I/O 
subsystems aren't optimized for virtualiza¬ 
tion and force the hypervisor to wait while 
outstanding read and write operations are 
completed. 

Enter Virsto Software and its solutions 
for Hyper-V: Virsto for VDI, Hyper-V Edition, 
and Virsto for VSI, Hyper-V Edition. The dif¬ 
ference between the two is that Virsto for 
VDI is designed for Hyper-V virtualized desk¬ 
tops, whereas Virsto for VSI is designed for 
Hyper-V virtualized servers. The underlying 
technology and features are basically identi¬ 
cal. The two products also share a common 
architecture, which promises to massively 
speed up Hyper-V by creating a virtualized 
storage layer that's optimized for virtualiza¬ 
tion. In this layer, each Hyper-V host has a 
dedicated virtual storage layer that logs all 
disk I/O transactions to a log disk called the 
Virsto Log Space, which is typically stored 
on a RAM-based disk or solid state disk 
(SSD). Another process then optimizes and 
writes the transactions to a primary storage 
pool called the Virsto Live Space. 

Although the architecture is different, 
Hyper-V administrators don't need to make 
any changes to their VMs or the way in 
which they work with Virtual Hard Disks 
(VHDs), although by leveraging vDisks 
(which I'll discuss shortly), they'll improve 
the VMs'performance. In this review, I'll 
focus on Virsto for VDI. 

Installing and Configuring Virsto 
for VDI 

Installing Virsto for VDI is a breeze—you 
simply run the executable file that contains 



Figure 1: Managing VMs in the Virsto VDI snap-in 


the installer. The software can be installed 
on both Full and Core installations of Win¬ 
dows Server 2008 R2.The installer adds a 
new Microsoft Management Console (MMC) 
snap-in named Virsto VDI to your system 
and adds a Virsto folder containing a link to 
that snap-in to your Start menu. When you 
click this link, the MMC opens, displaying 
the Hyper-V Manager snap-in. Under it 

If you use Hyper-V 
heavily, you might 
be wondering why 
your VMs don't 
seem snappier. 

you'll find the name of your Hyper-V server 
and the Virsto VDI snap-in. 

The next step is to configure the Virsto 
VDI snap-in by right-clicking it and select¬ 
ing Configure, or by selecting Virsto VDI 
and choosing Configure on the Actions 
menu. A wizard then guides you through 
the configuration process, which includes 
setting up the product for either a single 
Hyper-V server or an environment with 
multiple Hyper-V servers, entering the 
location of the database that keeps track 


of configurations, selecting the Live Space 
and Log Space volumes, and entering 
your licensing key. The documentation is 
thorough and clear, although a quick setup 
guide for standalone server deployments 
would help tremendously. 

Creating and Using vDisks 

Hyper-V administrators create and use 
vDisks to take advantage of Virsto for VDI's 
storage architecture. You create VHDs 
for VMs on vDisks rather than directly 
on the underlying physical disks or VHD 
files. These VHDs can be bootable disks 
containing the actual VMs, or they can be 
additional volumes mounted onto existing 
VMs. You can also copy existing VHDs to 
vDisks and reconfigure the VMs to use 
the copied VHD on the vDisk to speed up 
existing VMs. 

Managing VMs and vDisks 

As Figure 1 shows, the MMC Virsto VDI 
snap-in is populated with nodes that can 
be used to manage your VMs and vDisks. 
This is where Virsto for VDI can get a little 
confusing, as many of the Actions can also 
be performed using the Hyper-V Manager 
snap-in, as long as you remember that 
you're working with virtualized storage. 

For example, you can use the Hyper-V 
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Figure 2: Cloning a golden master snapshot in the Virsto VDI snap-in 


Manager snap-in to attach a vDisk to a VM, 
as long as you specify the location of the 
vDisk. However, you can attach a vDisk 
to a VM much more quickly and with less 
information to enter by using the Attach 
To Hyper-V wizard, which can be launched 
from Actions in the Disks node of the Virsto 
VDI snap-in. 

Another example is when you work 
with snapshots. A Hyper-V snapshot is a 
point-in-time copy of the entire state of a 
running VM, including its configuration, 
state, and VHD files. It can take some time 
to create a Hyper-V snapshot. A Virsto for 
VDI snapshot is a copy of a vDisk, which is 
created using the unique layered storage 
technology featured in the product. The 
Virsto for VDI snapshot is created almost 
instantly. 

The intent behind providing the actions 
under the Virsto VDI node is to help you 
make fewer menu selections and mouse 
clicks and reduce the likelihood that you'll 
make a mistake, but it's likely to confuse 
novice or occasional users. For this reason, 

I recommend that you practice with test 
systems before allowing operators any¬ 
where near your production servers. Even 
experienced operators will find themselves 
flipping between the Hyper-V Manager and 
Virsto VDI snap-ins, but this is unavoidable. 

Realizing the Benefits 

On my test systems, there was a notable 
improvement in speed using Virsto for 
VDI, even when I deliberately threw some 
oddball configurations (including iSCSI) at 
it. Virsto for VDI performs best when you 
properly architect the solution (i.e., find the 
best way to use the RAM disks, SSDs, and 
multiple layers of storage). I suspect that 
even basic virtualized desktop environ¬ 
ments with simple Log Space and Live 
Space storage configurations will see an 
improvement in performance. 

Where Virsto for VDI really comes into 
its own is when you want to make copies 
of a VHD multiple times—a common sce¬ 
nario when you're deploying virtual desk¬ 
tops. The simplest way to accomplish this 
task is to take a snapshot of a disk that's a 
"golden master"and clone the snapshot 
as many times as needed using the Virsto 
VDI snap-in, as shown in Figure 2. Due 
to the way that the storage virtualization 
works, each clone is ready for use almost 


immediately because you don't need to 
completely copy the golden master image 
bit-for-bit to the cloned disks. Each cloned 
disk is also smaller than the snapshot it's 
cloned from, as only changes made since 
the cloned disk was created are stored. This 
tremendously reduces the amount of disk 
space required for VMs, even when using 
fixed-size virtual disks. This also allows for 
extremely rapid deployment of a golden 
master across many Hyper-V servers if you 
configure Virsto for VDI for multiple servers, 

On my test systems, 
there was a notable 
improvement in 
speed using Virsto 
for VDI, even when I 
threw some oddball 
configurations at it. 

with Live Space storage configured so that 
each server can access it. 

Best of all, enterprises using Virsto for 
VDI aren't restricted to using the Virsto VDI 
snap-in to manage their virtual environment. 
Virsto for VDI supports Windows PowerShell, 
so administrators can write scripts to auto¬ 
mate tasks, including cloning VHDs. Sample 
scripts come with the product and integrate 
with the popular PowerShell Management 
Library for Hyper-V, which is available from 
CodePlex (pshyperv.codeplex.com) . If you 
want to learn how to write scripts, you can 


view the actions performed through the 
Virsto VDI snap-in as PowerShell scripts by 
clicking the View Script button at the end 
of each wizard that guides you through a 
task. (You click the View Script button before 
clicking the Finish button.) 

A Useful Hyper-V Tool 

If you're looking for an agile way to deploy 
many Hyper-V desktops or if you want 
to squeeze more performance out of an 
existing Hyper-V desktop environment, I rec¬ 
ommend that you take a long, serious look 
at Virsto for VDI. Once you understand the 
concepts behind this product, you'll quickly 
learn how to maximize its effectiveness. ^ 

InstantDoc ID 141368 


Virsto for VDI, Hyper-V Edition 

PROS: Extremely simple to install; noticeably 
improves performance, even in less-than-ideal 
storage configurations; extremely flexible, with 
support for multiple Hyper-V servers and mul¬ 
tiple layers of storage 

CONS: Ul is confusing; for maximum benefit you 
might need a storage architect to design a solu¬ 
tion; a quick setup guide for standalone server 
deployments is needed 

RATING: ♦♦♦♦O 

PRICE: Starts at $2,800 per host 

RECOMMENDATION: If you're looking for an 
agile way to deploy many Hyper-V desktops or 
if you want to squeeze more performance out 
of an existing Hyper-V desktop environment, I 
recommend that you take a long, serious look at 
Virsto for VDI, Hyper-V Edition. 

CONTACT: Virsto Software • 408-899-5694 • 
www.virsto.com 
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Figure 1: V-locity host management interface 


I'm a firm believer in the necessity of disk 
defragmentation. But only with the release 
of Diskeeper 2011 and its inclusion of the 
Efficient Mode have I been truly satisfied 
that the program isn't constantly chug¬ 
ging away at my disks aiming to maintain 
a perfectly defragmented state at all times, 
which is unnecessary. 

Many servers now utilize virtualization 
of one kind or another. But file caching 
isn't optimized to work with virtualized 
workloads, so raw disk performance is 
back in the spotlight. Based on the same 
defragmentation engines as Diskeeper 
2011, V-locity runs on Hyper-V host servers, 
providing local disk and SAN defragmenta¬ 
tion. During the defrag process, it monitors 
agents deployed on the guest virtual 
machines (VMs) to ensure there's no con¬ 
tention for disk resources. V-locity requires 
a separate Windows VM (or physical device) 
to run the host software in VMware virtual 
infrastructures. 

V-locity supports Windows XP SP2 or 
later and Windows Server 2003 or later 
guest OSs on Hyper-V and VMware ESX/ 
ESXi 4.0 or later hosts. VM guests are also 
supported in Citrix XenServer. 

My test system consisted of Hyper-V 
running on Windows Server 2008 R2 with 
a collection of Windows Server guest VMs. 

I found that installing the host software 
is straightforward and includes a warning 
that Windows Firewall settings might need 
to be modified if Diskeeper Administrator 
will be used to manage V-locity. 

V-locity uses a variety of technologies 
to defrag physical and virtual disks. Intelli- 
Write replaces NTFS write logic to minimize 
defragmentation as files are written to disk. 
To avoid interfering with SAN optimization, 
Instant Defrag cleans up any fragments 
that occur while the write is still in process. 
InvisiTasking ensures that any defrag activ¬ 
ity happens using idle processor cycles, 
while CogniSAN and V-Aware monitor VMs 
on local disks and SANs to ensure that 
there's no contention for resources as guest 
VMs defrag their local disks. 

V-locity detects different types of Virtual 
Hard Disks (VHDs), optimizing defrag rou¬ 
tines to minimize unnecessary disk growth. 
Space reclamation works in conjunction 


with live migration tools to compact VHDs 
during the migration process. V-locity 
automatically zeros out unused data blocks 
on VHDs so that Automatic Space Reclama¬ 
tion can run while a disk is online. VHDs 
can also be compacted manually if they're 
dynamic (or thin in VMware terminology) 
and offline. Finally, l-FAAST organizes files 
on the disk to provide the fastest access to 
frequently used files. 

After installation, you probably won't 
touch the management interface often, 
apart from the occasional need to compact 
VHDs. One disadvantage is that you must 
log on to each guest VM to perform 
management tasks; there's no centralized 
view from the host server. Navigating the 
management console is intuitive, with all 
the discovered disks listed at the top and 
statistics on current operations and per¬ 
formance of the defragmentation engine 
shown below. On the host server, the 
management interface lists all guest VMs 
on which V-locity has been installed, as 
Figure 1 shows, which is a comforting indi¬ 
cation that the software is able to detect 
disk usage across all virtual systems. 

V-locity reported a 34 percent I/O 
improvement after installation on my 
Hyper-V host. You can generate reports 
for individual disks by clicking Analyze. 


This report contains detailed informa¬ 
tion about a disk's current state and 
performance. 

The best thing about V-locity is the 
price. It's licensed per CPU on the host with 
an unlimited number of VMs. Despite the 
software's management shortcomings, at 
this price it's a no-brainer. Diskeeper Admin¬ 
istrator can be licensed at an additional 
cost if you need to manage many V-locity 
hosts. Smaller shops can probably survive 
without the extra management functional¬ 
ity because V-locity largely does its stuff 
without needing constant monitoring. ^ 

InstantDoc ID 141617 


V-locity 3 

PROS: Invisible defragmentation of virtual and 
physical disks to improve I/O performance 

CONS: Management software must be pur¬ 
chased separately 

RATING: ♦♦♦♦♦ 

PRICE: $199 per CPU core, with volume 
discounts starting at 25 cores; VM-based pricing 
also available 

RECOMMENDATION: V-locity is a no-brainer 
for all but the most cash-strapped organizations. 

CONTACT: Diskeeper • 818-771 -1600 or 
800-829-6468 • www.diskeeper.com 
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REVIEW 


Help Desk Authority 9.0 


Help Desk Authority 9.0 from ScriptLogic 
is a Help desk ticketing system that 
integrates with some of the company's 
other products to offer a complete IT 
service management solution. The core 
software consists of Helpdesk Admin¬ 
istrator (a Microsoft .NET Framework 
desktop client) and a server component 
that requires Microsoft SQL Server 2005 
or later (full or Express version). The 
server component includes modules to 
import users and groups into Help Desk 
Authority from Active Directory (AD) and 
import information from other Script- 
Logic tools, such as Desktop Authority 
(desktop management software), Packet- 
Trap IT (a network monitoring tool), and 
HDAsset (a machine inventory tool). 
Microsoft IIS is needed for the optional 
web components, which include a fully 
featured browser version of the desktop 
client and a ticket requester for users. 
Help Desk Authority runs on Windows XP 
SP3 and later. 

Help Desk Authority aims to simplify life 
for Help desk staff by integrating network 
monitoring utilities (e.g., PacketTrap IT), 
social media tools (e.g., message board, 
chat functionality), remote support 
software (e.g., Remote Support Center), 
and other tools into its Help desk ticket¬ 
ing system. All these tools are accessible 
from Helpdesk Administrator. When you 
log on to Helpdesk Administrator, you're 
presented with a Microsoft Outlook-style 
interface for browsing the default views 
and open tickets. As with Outlook's inter¬ 
face, the desktop client's interface is a little 
too busy for my taste. I prefer the simpler 
layout of the web client. 

Helpdesk Administrator's dashboard 
provides an overview of open issues in 
the form of charts that are interactive and 
can be used to drill down to open tickets 
in the database. Tickets can hold a mass 
of information, including links to users 
(which Help Desk Authority refers to as 
requesters) and their issue history and 
assets. Client and product information can 
also be stored, which is useful for service 
providers. 

The query manager in the desktop 
client doesn't have any limitations, so you 


can perform detailed searches, making it 
easy to find issues based on any criteria 
you choose. Although Helpdesk Admin¬ 
istrator provides a number of built-in 
reports you can run, you need to purchase 
SAP Crystal Reports to generate custom 
reports. 

The Remote Support Center console, 
which can be launched from Helpdesk 
Administrator, runs in a web browser 
and provides quick and simple access to 
remote computer settings and configura¬ 
tions. The console brings together the 
functionality of separate Microsoft tools, 
such as the Microsoft Management Console 
(MMC) Computer Management snap-in. It 
also provides an easy way to browse Win¬ 
dows Management Instrumentation (WMI) 
data over a secure SSL link. Other features 
include file transfer capabilities and access 
to Windows Performance Monitor and 
Scheduled Tasks. 

Help desk staff can use Remote Support 
Center to manage remote computers, 
without the need to run complex com¬ 
mands or start a desktop session on the 
remote devices. Remote control is achieved 
through the ExpertAssist client, which can 
be installed from the Remote Support Cen¬ 
ter console. A reduced-functionality version 
of the remote client, InstantAssist, can 
also be downloaded to remote desktops, 
without the need for the user to have any 
special privileges to complete the install 
process. Both ExpertAssist and InstantAssist 
require Java. 

There are two editions of Help Desk 
Authority: Professional and Enterprise. The 
Enterprise Edition comes with: 

• 250 seats for Remote Support Center, 
HDAsset, and Password Self-Service (a 
module that lets users reset forgotten 
passwords and unlock accounts without 
contacting the Help desk) 

• 50 device licenses for PacketTrap IT 

• five technician licenses 

Remote Support Center, HDAsset, and 
PacketTrap IT must be installed and 


licensed separately in the Professional 
Edition, which includes two technician 
licenses. Additional technician licenses 
retail at $499 for both editions. Both edi¬ 
tions also include the free sl360 Trouble¬ 
shooting Tool Suite. 

Help Desk Authority is a complex prod¬ 
uct but offers a lot of functionality for the 
price. On the plus side, tickets can be cus¬ 
tomized, issues can be automatically esca¬ 
lated by email, and users can reset their 
own passwords with the optional Password 
Self-Service module. Although setting 
up and customizing Help Desk Author¬ 
ity will likely require a time commitment, 
you won't need to pay for professional 
services. On the minus side, although Help 
Desk Authority aims to simplify life for 
Help desk staff by assimilating the remote 
support, network monitoring, and social 
media tools into the main product, this 
assimilation adds more complexity and can 
sometimes be confusing. 

The bottom line is that the Help Desk 
Authority is an affordable option for mid¬ 
sized organizations and service providers 
looking for enterprise-class functionality. 
However, you shouldn't overlook the 
time required to get it set up and the 
possible learning curve for your Help desk 
staff. # 

InstantDoc ID 141295 


Help Desk Authority 9.0 

PROS: Enterprise-class features at an attractive 
price 

CONS: Add-ons and other components can lead 
to operational complexity 

RATING: ♦♦♦♦O 

PRICE: $1,995 for the Professional Edition; 
$7,995 for the Enterprise Edition 

RECOMMENDATION: If you're on a budget 
and looking for a reliable IT service management 
solution with good support, Help Desk Authority 
could fit the bill if you have the time to set it up 
and train the Help desk staff. 

CONTACT: ScriptLogic • 800-813-6415 or 
561-886-2400 • www.scriptlogic.com 
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COMPARATIVE REVIEW 



Network 

Management Tools 

Be the first to know when there's trouble on your network 
by Eric B. Rux 


H ave you ever received a call from a customer or, 
worse yet, your boss asking why a particular service 
was slow or completely down? More likely than not, 
you've been in that uncomfortable situation, so you 
know it isn't fun. A network management tool can 
help you avoid this situation and ensure that you're 
the first to know when there's trouble in the network. 

I recently reviewed four network management solutions, two of 
which are free, as Table 1 shows. Depending on your environment 
and budget, one of these solutions is probably right for you. 

Spiceworks 

Spiceworks stands out in this review because it's free. By showing 
non-intrusive advertisements within the application, you're able 
to use this tool for no charge. If the advertisements start to bother 
you or if your company doesn't allow them, Spiceworks can be 
purchased for $45 a month. You get a small break ($495 instead of 
$540) if you purchase it a year at a time. This product also stands 
out from the others because it includes a full-featured Help desk. 

Spiceworks is big on community involvement. For example, you 
can contact local Spiceworks users through SpiceCorps or partici¬ 
pate in traditional forums on the community website (community 
.spiceworks.com) . When I browsed through the forums, I found 
them to be very active and friendly. 

Installing Spiceworks is easy. As soon as the setup is complete, 
you create an initial account and password. Then, a large prompt 
asks you where you would like to start, with the choices being 
Inventory, Help Desk, or Configuration Backup. 

Clicking Inventory starts an IP scan of your network. A wizard 
helps you set up the proper credentials for Windows, UNIX, Apple, 
and other servers accessible through Secure Shell (SSH), and for 
printers, switches, or other SNMP devices. The scan took a few 
minutes to find, log on to, and inventory all the network devices 
on my test network. 

As soon as the scan was complete, Spiceworks sent me an 
email detailing what was scanned. The main Inventory page has a 
running log of what was discovered and notes whether there were 
any problems with the scan. For example, Spiceworks found my 
VMware ESXi server but was unable to provide detailed informa¬ 
tion about it because the username and password that I entered 
during setup weren't correct. Clicking the ESXi server brought up 


a menu that allowed me to fix the authentication problem. The 
next time I ran the scan, Spiceworks found the ESXi server, logged 
on, and updated the inventory information. Spiceworks not only 
provided information about each virtual machine (VM) but also 
listed the names of the VMware data stores and how much space 
was left in each one. The interface is very intuitive, making it easy 
to identify and fix common configuration mistakes. 

I spent some time looking over the dashboard, which Figure 1 
shows. Out of the box, the dashboard shows the network at a glance 
and displays information about 12 common areas, such as antivirus 
software status, Microsoft Exchange Server data, inventory sum¬ 
mary, upcoming warranty expirations, and alerts. The dashboard 
is completely configurable (e.g., you can add, remove, or move 
sections). 

I also tested the Spiceworks Help desk. As the manager of tech¬ 
nical support services for a large university, I was curious to see 
how this solution stood up to the big boys. To help you get started, 
there are four tickets already created that walk you through an 
overview of the Help desk system and how it's configured. I quickly 
learned that the Help desk is very basic. For example, there are no 
group functions, request types, or escalation paths—all essential 
in large IT organizations. 

One of the Help desk's strengths is email ticket scraping. This 
feature lets users simply email their requests. The Help desk sys¬ 
tem will "scrape" the information from the email and automatically 
create a ticket for you. Another homerun is the Help desk portal 
where users can log on to a web page (which uses Active Direc¬ 
tory—AD—authentication) to log their tickets. 

For a business with just a few people, this Help desk is the per¬ 
fect solution. Just keep in mind that it won't scale well if you have 
a large user or technician base. 

Spiceworks includes 21 canned reports, including reports 
that provide Help desk ticket information, list computers without 
antivirus software, and list computers with low disk space. You 
can also download community-written reports from the Com¬ 
munity website. Two reports caught my eye: One report provides 
Exchange usage information (e.g., last user logon, users' mailbox 
sizes, and total number of items) and the other lists locally con¬ 
nected printers. 

The Spiceworks mobile application rounds out this feature- 
rich platform. You can check on Help desk tickets, keep abreast 
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Table 1: Feature Comparison 


Company 

Product 

Price 

Minimum 

Require¬ 

ments 

AD Authen¬ 
tication 
for User 
Accounts 

Built-In 
Help Desk 

Agent 

Based 

Config¬ 

urable 

Dash¬ 

board 

Back-End 

Database 

Mobile Phone 
Accessibility 

NetFlow 

Ipswitch 

781-676-5700 

800-793-4825 

www.whatsupqold 

.com 

WhatsUp 
Gold vl 5 

Standard Edition 
$1,895 (up to 100 
devices); Premium 
Edition $2,695 (up 
to 100 devices); 
Distributed Edition 
$3,495/central and 
$2,695/remote (up 
to 100 devices) 

Windows 2003 
SP2 or later; 
dual-core 2.0 
GHz minimum; 
2GB RAM mini¬ 
mum 

Yes(very 
granular 
security) 

No 

No 

Yes 

SQL Server 
Express 2005; 
SQL Server 

2005 or later 
recommended 
for large net¬ 
works 

Yes (with iPhone app 
or by appending 
"/mobile" to the end 
of the web address) 

Yes 

Quest Software 

949-754-8000 

800-306-9329 

www.quest.com 

Foglight 

Network 

Manage¬ 

ment 

System 

(NMS) 

Free for first 100 
devices, $99 per 
device after that 

Windows 2003 
SP2 or later; 
dual-core 3.0 
GHz minimum; 
4GB RAM mini¬ 
mum 

No 

Limited 

Agent or 
SNMP 

Yes 

SQL Server 
Compact 
in limited 
situations; SQL 
Server 2005 or 
later recom¬ 
mended 

No 

Yes 

SolarWinds 

866-530-8100 

www.solarwinds 

.com 

Orion Net¬ 
work Per¬ 
formance 
Monitor 
(NPM) 

Starts at $2,475 
($3,595 for 100 
nodes) 

Windows 2003 
SP2 or later; 2.0 
GHz minimum; 
3GB RAM mini¬ 
mum 

Yes (individ¬ 
ual account 
and security 
group) 

No 

No 

Yes 

SQL Server 
Express 2005 
for small 
networks; SQL 
Server 2005 or 
later recom¬ 
mended for 
mid-sized or 
large networks 

Yes (with mobile 
web browser or 
by appending 
"?lsMobileView=true" 
to the end of the 
web address) 

Yes 

Spiceworks 

512-346-7743 

www.spiceworks 

.com 

Spice¬ 

works 

Free (contains 
advertising); $45 
a month or $495 
a year (advertise¬ 
ments removed) 

Windows XP 

SP2 or later 
or Windows 
Server 2003 

SP1 or later; 

1.5GHz P4 
minimum; 1GB 
RAM minimum 

Yes (Help 
desk only) 

Yes 

No 

Yes 

SQL Server 
Express 2005 

Yes (with iPhone or 
Android app) 

No 


of inventory alerts, check the latest com¬ 
ments from the Spiceworks community, 
and more. If you support multiple sites, 
you can set up a profile for each site so that 
you don't have to remember different user¬ 
name/password/address combinations. 

Spiceworks is a great tool. It's fully 
featured and free. Even at $45 a month or 
$495 a year, it's a steal. Small companies 


that don't need a big, expensive solution 
should put Spiceworks at the top of their 
list. 


Spiceworks 

PROS: Outstanding inventory scanning 
functionality; built-in emphasis on community 
to solve problems fast; mobile application 
extremely well laid out 


CONS: Help desk system too basic for larger 
businesses or IT departments 

RATING: ♦♦♦♦O 

PRICE: Free (contains advertising); $45 a month 
or $495 a year (advertisements removed) 

RECOMMENDATION: If you work for a small 
company that needs inventory and Help desk 
tools but you don't have a lot of money in your 
budget to spend on them, install Spiceworks on 
every server you support. 

CONTACT: Spiceworks • 512-346-7743 • 
www.spiceworks.com 


Foglight Network Management 
System (NMS) 

Sticking with the "free" theme, I chose 
Quest Software's Foglight Network Man¬ 
agement System (NMS) as the second 
product for this review. You can use this 
feature-rich software to monitor up to 100 
devices on your network for free. If you 
need to monitor more devices, you can 
purchase the full version of Foglight NMS 



Figure 1: Spiceworks dashboard 
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Network 

Map 

Multisite 

Capable 

Linux, 

UNIX, and 

Apple 

Monitoring 

Virtual 

Server 

Aware (Host 
and VM) 

Connect 
via Remote 
Desktop 
from Within 
Application 

Exchange 

Server 

Monitoring 

Built-In Monitors (descriptions come 
directly from the application or 
administration guide) 

Notification Actions (descrip¬ 
tions come directly from the 
application or administration 
guide) 


Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

APC UPS; DNS; email; event logs 
(Windows); Exchange (2003/2007); fan; 
file properties; folder; FTP; HTTP content; 
network statistics; NT Services; ping; power 
supply; printer; process; SNMP; SQL query; 
SQL Server; SSH; syslog; TCP/IP; Telnet; 
temperature; VoIP; WAP Radio; WMI 

Email; visual; beeper; log to text 
file; pager; service restart; SMS; 
SNMP set; sound; SSH; syslog; text 
to speech; VMware action; 
Windows event log; Win popup 


Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Active Directory; call manager; DNS/ 
NETBIOS; Exchange Server; Web server; 

IP SLA; disk; memory; NetFlow; network 
traffic; IP configuration; network statistics; 
ping; POP3; running processes; CPU; SMTP; 
SNMP traps; SQL Server; port map; syslog 
listener; TCP ports; VMware; VoIP active 
calls, call history, manager settings, 
manager status; hardware inventory; 
Windows services 

Email; visual; script; start process/ 
kill process/list processes; start 
service/daemon; stop service/ 
daemon; list services/daemons; 

IP configuration information; list 
network interface statistics; 
routing table information; list 
active connections; send syslog 
message; shutdown/restart 
system 


Yes 

Yes 

Yes 

Yes 

No 

Yes 

Group goes down/warning/critical state; 
problem with managed node; node goes 
down; node reboots; polling engine has 
not updated the database; Rogue Access 
Point is detected; Thin Wireless Access 

Point goes down; Wireless AP has more 
than 10 clients; interface goes down; inter¬ 
face is shut down; high bandwidth utiliza¬ 
tion by an Access Point; high packet loss 
monitoring; high response time monitor¬ 
ing; high transmit percent utilization; IOS 
image family change; IOS version change 

Email; page; log to a file; Windows 
event log; log to NetPerfMon 
event log; text to speech output; 
SNMP trap; send syslog message; 
execute an external program; 
execute an external VB script; 
email a web page; get or post 
a URL to a web server; send a 
Windows Net Send message; dial 
paging or SMS service 


Yes (via a 
separate 
free 

download) 

Yes 

Yes 

Yes 

Yes 

Yes 

Disk; antivirus; software (installed status); 
printer supply level; vendor/cloud service 
end date; warranty expiration date; UPS 
power event; web domain expiration date 

Email; visual 


for $99 per device for any device beyond 
100. So, for example, if your network has 
200 devices, you would pay $9,900 (100 
x $99), and you can use the full version's 
three add-ons (Traffic Analysis, IPSLA-VoIP, 
and Remote Site Monitoring with Pollers) 
with all 200 devices. You can also purchase 
two other add-ons: Performance Moni¬ 
toring and Configuration Management. 
Unfortunately, the information about these 
five add-ons isn't easy accessible from the 
Quest website. If they interest you, you'll 
have to contact Quest directly. 

Both the free and full versions of 
Foglight NMS include the Network Flow 
Analyzer Module, Remote Agent Module, 
VoIP Monitoring Module, and Wireless 
Monitoring Module. You can also purchase 
additional components, such as vFoglight 
for virtual machines (VMs). 

Like Spiceworks, Quest is heavy on 
community. There's a Community link 
within the product that takes you directly 
to a community website (www.quest.com/ 
communities) where you can ask your 


peers questions and even forward ideas to 
the developer team. However, most of the 
forums are specifically centered on Quest 
products and the forums on general topics 
aren't too active. For example, the Share- 
Point forum was empty and the Oracle 
forum only had nine posts, with a majority 
of them being over 6 months old. 

Foglight NMS should be installed 
on a separate physical machine or VM. 
The fully automated setup installs the 
prerequisites, such as Microsoft .NET 
Framework 4.0 and SQL Server Compact. 
According to the system requirements 
documentation, SQL Server Compact is 
for use when you're trying out Foglight 
NMS or loading device count installations. 
You need to install the Standard or Enter¬ 
prise Edition of SQL Server in production 
environments. 

After the setup was complete, I logged 
on to Foglight NMS Studio and proceeded 
to register the product. From here, you 
choose either the free version or enter a 
license key if you need to monitor more than 


100 devices. Even though I was provided a 
license key, I reviewed the free version. 

A splash screen provides links to Help 
articles that guide you through the initial 
setup of the monitoring system. You can 
monitor devices by using SNMP, using 
Windows Management Instrumentation 
(WMI), deploying remote agents, or collect¬ 
ing syslog, NetFlow, or SNMP trap data. 

I decided to use SNMP and WMI to 
monitor the devices on my test network. I 
clicked Add Device(s), which brings up a 
wizard that lets you add devices through 
SNMP network discovery or agent deploy¬ 
ment. SNMP network discovery did a great 
job of finding all the devices on my test 
network. After the devices were discov¬ 
ered, the left-hand menu indicated that 11 
devices had the condition of Credential Not 
Set. Clicking this menu item brought up 
a list of devices that Foglight NMS wasn't 
able to log on to. They included an Apple 
server, network hardware, and Windows 
Home Server. From this list, I was able to 
set the proper credentials for each device. 
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Figure 2: Foglight NMS dashboard 


The interface was so intuitive that I didn't 
have to use the Help system or look online 
for assistance. After I set the proper creden¬ 
tials, Foglight NMS actively monitored my 
entire test network. 

Even though it's a free product, a wealth 
of features are available. One feature I 
explored was the network map creation 
tool. After you add icons that represent 
your devices, you use a GUI (powered by 
Adobe Flash Player) to manipulate them 
into a configuration that simulates the 
physical layout of your environment. You 
can create more than one map to show 
multiple layers. For example, one map can 
be built on top of a picture of the United 
States. Each subsequent map can then 
show more and more detail. 

As I worked, I noticed that Foglight 
NMS didn't properly identify my ESXi 
server. This could be because it's an older 
version (3.x). Plus, ESXi was renamed 
vSphere Hypervisor in 2010. Manually 
configuring Foglight NMS to recognize the 
server as a VMware device was easy. After 
I did this and set the correct credentials, it 
immediately started gathering statistics on 
CPU utilization, memory usage, and more. 
It even included statistics for the VMs. 

If your network has multiple physical 
sites, you might want to have a Foglight 
NMS server in each location. In this sce¬ 
nario, you can setup different sites to help 
organize the devices that you're monitor¬ 
ing. These sites then report back to one 
central Foglight NMS server. 

You can set up alerts in Foglight NMS. 
You can configure it to not only notify you 
when an alert is triggered but also perform 
an action, such as stopping a service or 
running a custom script. 


Foglight has the capability to collect 
NetFlow statistics. Clicking NetFlow in the 
Tools menu for the first time prompts you 
to download the 10MB PacketTrap Tool 
Suite. The suite is a trial version, but it 
expires in 2031, so you have some time to 
kick the tires before it runs out. (According 
to Kelly O'Dwyer-Manuel, a senior analyst/ 
public relations specialist at Quest, this tool 
will be rebranded to Quest Free Network 
Tools in the near future and the trial version 
will simply be turned into a free applica¬ 
tion.) However, I wasn't impressed with 
this "bolt-on" approach. Foglight NMS by 
itself is an impressive application, but the 
way PacketTrap integrated into the product 
wasn't clean. 

Foglight NMS is a well laid out applica¬ 
tion with a great dashboard, as Figure 2 
shows. If you have a Help desk that needs 
to view the status of your network, you can 
provide a read-only view via a website. You 
just add the port 5053 to the end of the 
server name (e.g., https://Foglight:5053), 
and you're set. 

Overall, I found Foglight NMS to be intui¬ 
tive and easy to use. The fact that it is free for 
up to 100 devices should make mid-sized 
businesses perk up and take notice. I've been 
looking for a free network monitor for my 
home network—and I think I just found it. 


Foglight Network Management 
System (NMS) 

PROS: Free for up to 100 devices; intuitive and 
easy to use 

CONS: Integration with the PacketTrap Tool 
Suite not clean; can become expensive as 
network grows 

RATING: ♦♦♦♦O 


PRICE: Free for first 100 devices, $99 per device 
after that 

RECOMMENDATION: If you currently have 
around 75 devices and don't expect a lot of 
network growth, Foglight NMS should be at the 
top of your list. Even if you have to pay for the 
product, it's still a great value if you don't have 
too many devices over 100. 

CONTACT: Quest Software • 949-754-8000 or 
800-306-9329* www.quest.com 


WhatsUp Gold 

Ipswitch's WhatsUp Gold is a mature prod¬ 
uct that's been around for well over 10 
years, which is evident in its deeply rich 
feature set. Ipswitch has been listening to 
users and making improvements based on 
their comments and suggestions. 

WhatsUp Gold comes in three editions: 
Standard, Premium, and Distributed. The 
Premium Edition includes everything in 
the Standard Edition and adds monitoring 
through WMI, UNIX and Linux monitor¬ 
ing, Wireless Access Point monitoring, and 
other advanced monitoring features. The 
Distributed edition adds functionality for 
networks that are distributed over a large 
geographical area. You'll find a detailed 
list of what comes with each edition on 
WhatsUp Gold's website. If you find that 
you need to move up to a higher edition, no 
reinstallation is necessary. You simply enter 
a new license key, and the product is auto¬ 
matically upgraded to the new version 

I reviewed the Premium Edition of 
WhatsUp Gold vl5. Setting it up was easy 
because it takes care of the prerequisites, 
such as installing .NET Framework 4.0, 
IIS, and SQL Server Express 2005. If you 
have a large network, you might want to 
use a dedicated SQL Server 2008 or SQL 
Server 2005 instance instead of SQL Server 
Express. The setup package contains two 
WhatsUp Gold add-ons: WhatsConnected 
and WhatsConfigured. For the purpose of 
this review, I installed only WhatsUp Gold. 

After the installation, a wizard walks 
you through configuring SMTP notification 
and credentials for the different devices 
connected to your network. As the network 
is scanned, you can watch WhatsUp Gold 
find each device, resolve its hostname, and 
attempt to discover its role (e.g., VMware 
host, Windows server). 

WhatsUp Gold did a good job of finding 
and identifying the devices. What it couldn't 
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properly identify was easy to adjust. What's 
nice about this product is that you can con¬ 
figure everything using either the Windows 
console or web console. 

Larger networks can have hundreds and 
even thousands of network devices. WhatsUp 
Gold helps you find these devices by group¬ 
ing them together. There are two kinds of 
groups: nondynamic groups and dynamic 
groups. Nondynamic groups are manually 
managed. You drag and drop devices onto 
each group manually. For example, if you 
have two physical locations, you might want 
to create a New York group and a Seatde 
group, then drag and drop the network 
devices into the appropriate group. 

WhatsUp Gold comes preconfigured 
with 20 dynamic groups, and the Help 
database has 14 more. You use a SQL state¬ 
ment to populate them. For example, if you 
want to place all of your Cisco devices into 
a dynamic group, the SQL statement would 
look like this: 

SELECT DISTINCT Device.nDevicelD 
FROM Device 

WHERE Device.bRemoved = 0 AND 
Device.sSnmpOID LIKE N'l.3.6.1.4.1.9%’ 

Even if you're only a little familiar with SQL, 
the examples should be enough to help you 
create your own dynamic groups. However, 
if you're uncomfortable with SQL, you 
might find this feature frustrating. I would 
like to see WhatsUp Gold keep the manual 
SQL functionality (for those users who 
know SQL) but add a wizard that helps you 
build SQL statements. 

Ipswitch posts the database schema on 
its website, which makes writing queries 
and creating custom reports easier. Obvi¬ 
ously it doesn't support writing to it outside 
of the WhatsUp Gold application, but the 
company encourages read-only access if it 
helps you gather the data you need. 

Besides performing the typical ping 
check, WhatsUp Gold monitors perfor¬ 
mance (e.g., CPU utilization, memory 
usage) and services (e.g., DNS, HTTP). It 
also has what's called "Passive Monitors" 
for monitoring SNMP traps, syslogs, and 
Windows event logs. 

I found that the Windows console is 
easier to use when setting up and configur¬ 
ing the monitoring tool, whereas the web 
console does a better job of displaying the 


status of each device. When a device goes 
down, the device's icon turns yellow and 
the web console displays a message noting 
which monitor (e.g., ping monitor, DNS 
monitor) is down and for how long. If the 
device continues to be unresponsive, the 
icon turns red. Clicking the device brings 
up additional information to help you 
troubleshoot the problem. 

WhatsUp Gold has a very configurable 
dashboard. I found it easy to add, remove, 
and adjust the dashboard to my liking, as 
Figure 3 shows. 

There's no doubt that Ipswitch has 
been around for the long haul and is well 
respected in the industry. Its latest version 
of WhatsUp Gold doesn't disappoint. 


WhatsUp Gold 

PROS: Easy to setup and configure; 
lots of features 

CONS: Expensive when compared to the free 
products in this review 

RATING: ♦♦♦♦♦ 

PRICE: Standard Edition $1,895 (up to 100 
devices); Premium Edition $2,695 (up to 100 
devices); Distributed Edition $3,495/central and 
$2,695/remote (up to 100 devices) 

RECOMMENDATION: For unparalleled 
network management, WhatsUp Gold delivers. 

If you need to manage it, this product can prob¬ 
ably do it. 

CONTACT: Ipswitch • 781-676-5700 or 
800-793-4825 • www.whatsupgold.com 



Orion Network Performance 
Monitor (NPM) 

SolarWinds' Orion Network Performance 
Monitor (NPM) is another product that 
falls into the mature category. Although it's 
pricey when compared to the free products 
in this review, you get a lot of bang for your 
buck. 

I setup Orion NPM on a dedicated Win¬ 
dows Server 2008 server that's a member of 
my test network's domain. Installing it on 
a domain controller (DC) isn't supported. 
The setup takes care of the prerequisites for 
you, including installing .NET Framework 
3.5 with SP1 and IIS. A back-end database 
is required to store the data that's collected. 
You can use SQL Server Express 2005 for a 
test or small network. However, SQL Server 
2005 or later is recommended. 

The first time you log on to the web- 
based administrative console, a wizard helps 
you configure the credentials for SNMP, 
VMware, and Windows and configure the IP 
addresses you want to scan. The results are 
then imported into the database. 

Orion NPM found each device on my 
network without any problems, includ¬ 
ing the ESXi server. When I expanded the 
ESXi icon, a complete list of the VMs being 
hosted was displayed. Hovering over each 
VM provided a summary of that machine's 
status. If the VM wasn't running, its name 
was displayed in gray text. 

Instead of installing agents, Orion NPM 
monitors devices using Internet Control 
Message Protocol (ICMP—aka pings), 



Figure 3: WhatsUp Gold dashboard 
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SNMP, WMI, or syslog, or by logging on to 
the device. According to the Orion NPM 
Administrator Guide, it uses agentless 
methods for the following reasons: 

• NPM does not employ services that 
take vital resources from critical 
applications. 

• NPM does not install any code on 
monitored network devices. Unmanaged 
or outdated code can open security holes 
in your network. 

For me, this clearly answers the age-old 
question of whether agent or agentless 
monitoring is best. 

I found Orion NPM's dashboard easy 
to navigate and well laid out. For example, 
as Figure 4 shows, it includes handy tabs at 
the top, such as Top 10, Alerts, Syslog, and 
Events. Like the ESXi server and its VMs, 
each device being monitored can be clicked 
to bring up a more detailed screen. The 
detailed screens have multiple “speedom¬ 
eters" that show real-time statistics such as 
average response time, packet loss, average 
CPU speed, and memory used. Clicking a 
speedometer displays a graph of that mea¬ 
surement's history. There’s also a customiz¬ 
able historical graph that shows the device's 
status over several weeks or months. 

You can import the Network Atlas tool 
into Orion NPM. This tool lets you cre¬ 
ate maps of your network in four easy 
steps: Choose a background, add objects 
to the map, connect the objects to the 
back-end database objects, and customize 
as needed. SolarWinds provides more than 
30 maps, including maps of the world and 
individual continents. In under a minute, I 
created a map of the United States, added 
an icon, and linked the icon on the map to 
a switch in my test network. 

SolarWinds has an interesting licensing 
model. Instead of a flat per-device price, 
the total cost is calculated by finding the 
largest number of interfaces, nodes, or 
volumes. For example, if you have two 
48-port switches, 100 servers/nodes, and 
20 hard drive volumes, you pay only for 
the highest number—in this example, 100 
servers/nodes. When I entered this infor¬ 
mation into the online license calculator, 
I came up with a price of $3,595. The rest 
of the devices that you want to monitor are 
essentially “free." Before you buy online, 
though, be sure to give them a call to make 


Figure 4: Orion NPM's dashboard 

sure you don't purchase more licenses than 
you need. 

Have you ever set up an alert for a 
particular device, only to find out that you 
weren't notified when the device went down 
because you set up the alert incorrectly? 
Orion NPM includes the Test Fire Alerts 
tool, which lets you verify that you'll receive 
an alert when the device goes down. 

One odd aspect of Orion NPM is how its 
individual tools are implemented. Instead 
of putting all the tools in one executable, 
many of the tools are separate programs 
that you need to install. I counted 15 sepa¬ 
rate programs. 

Orion NPM is a proven network manage¬ 
ment program. I found it to be very robust 
and capable. However, the unique licensing 
model can be confusing and the price might 
be too high for some companies. 

Orion Network Performance Monitor 
(NPM) 

PROS: Creating network maps is easy and intui¬ 
tive; dashboard puts the information you need at 
your fingertips 

CONS: Expensive when compared to the free 
products in this review; many individual pro¬ 
grams to configure 

RATING: ♦♦♦♦O 

PRICE: Starts at $2,475 ($3,595 for 100 nodes) 

RECOMMENDATION: If you want a first-rate 
network management tool and cost is of no 
concern, Orion NPM is pretty amazing. 

CONTACT: SolarWinds • 866-530-8100 • 
www.solarwinds.com 


Editor's Choice 

Each of these products provides great man¬ 
agement capability. I believe that they each 
fill a specific role. Spiceworks is great for the 
smaller business with little or no budget. 
Spiceworks also works well if you or your 
company supports the IT infrastructure of 
multiple smaller organizations. 

For mid-sized businesses that need an 
inexpensive network management tool, 
Foglight NMS fits the bill perfectly. You can 
monitor up to 100 devices for free. As time 
goes on, you can easily add devices and let 
Foglight NMS grow as your requirements 
grow. 

Large businesses that want the absolute 
best in network management will want to 
take a serious look at Orion NPM. 

WhatsUp Gold provides the ultimate 
in network management. Although it's 
significantly more expensive than the two 
free products in this review, it also has 
significantly more features as well. After 
hours of working with WhatsUp Gold, I was 
still finding cool and interesting features to 
try out. If you have a large network, have 
a lot of devices, and demand the ultimate 
in network monitoring and management, 
then WhatsUp Gold is your best bet. ^ 

InstantDoc ID 141373 


a Eric B. Rux 

(ebrux@whshelp.com) is a 
contributing editor for Windows IT 
Pro and the manager of technical 
support services at Eastern 
Washington University. 


64 FEBRUARY 2012 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 
























BUYER’S GUIDE 


Deployment Tools 

Tools to use when manually installing c ent OSs isn't practical 

by Eric B. Rux 


I nstalling a client OS isn't difficult; simply follow the wizard's 
step-by-step instructions and you're off and running. This 
process is almost foolproof nowadays and is surprisingly 
similar from OS to OS (e.g. ; Windows, Linux, Apple). The 
breakdown occurs when the number of machines that you 
need to deploy grows out of control. What might work for 
1 to 10 OS installations quickly becomes impractical when that 
number becomes 20, 200, or 2,000 computers. 

The tried-and-true solution is to install and configure the OS on 
just one computer and create what is commonly called the "master 
image." Typically, the master image will contain software that's 
common to all computers in the company (e.g., Microsoft Office, 
Adobe Reader). After the master image is configured just the way 
you want it, it's deployed to the other computers that need an OS. 
Usually, you can deploy it to all the computers at the same time. It 
takes extra time up front to create the master image, but the goal is 
that OS deployment will take much less time overall. 

When using the master-image deployment method, you'll 
likely run into problems if you try to deploy the master image to 
different hardware. Creating an image on brand A and attempting 
to deploy it to brand B would more often than not lead to a blue 
screen of death because hardware abstraction layers (HALs) can 
vary between computer brands and between computer models. 
In addition, they might have different video drivers, drive control¬ 
ler drivers, and other types of drivers. You'll want to know if the 
vendor you choose has a method to work around this problem in 
your environment. 

After the master image has been created, you'll need to find 
a way to connect to the image over the network from computers 
without OSs. Creating a bootable DOS disk isn't practical anymore. 
It's difficult to find DOS drivers for modern network cards, and 
floppy disk drives are few and far between. Instead, a network 
boot (Preboot Execution Environment—PXE) server is usually 
used. With this server, all you need to do is press F12 during setup 
to have the computer boot from the network. If visiting each 
computer isn't possible, some vendors offer Wake on LAN (WOL) 
capabilities or clients that let you manage the deployment from a 
central location. 

When the image server starts to send the master image over 
the network to each computer, there's a possibility that it might 
interrupt the current network traffic. So, be sure to coordinate 
this traffic with your network engineers. Depending on how the 
switches and routers are configured, the network engineers might 


have a preference for the network protocol you use (e.g., multicast, 
unicast, anycast, broadcast). In the Buyer's Guide table on the fol¬ 
lowing pages, you'll find the protocols that each vendor supports. 

Another area to consider is how the product is managed. Many 
administrators prefer to use a Microsoft Management Console 
(MMC) snap-in whenever possible. That way, all the commonly 
used Microsoft tools (e.g., Active Directory Users and Computers 
snap-in, DHCP snap-in) and third-party tools (e.g., disk defrag¬ 
mentation snap-in, disk imaging snap-in) are in one spot and eas¬ 
ily accessible. If the thought of having to hunt down then open yet 
another administration application makes you cringe, consider a 
tool that you can add to your current MMC toolbox. 

No two deployment scenarios are the same, so make sure you 
fully understand the challenges that you currently face along with 
the goals that you would like to meet. For example, if you support 
an office full of computers, scheduling the image deployments isn't 
something that you're likely to be interested in. But if you support 
computer labs, such as those in a library or school, scheduling a 
reimage every night or each week might be essential. 

Last but certainly not least, you'll want to fully understand the 
licensing model that each vendor uses. For installations of just a 
few hundred computers, there might not be that much difference 
in prices between vendors. But if you have thousands of comput¬ 
ers, the different licensing models can make a huge difference. 
The way products are licensed isn't always the same, so it can be 
difficult to compare apples to apples without a full understanding 
of how the licensing works. 

After you have narrowed down your search to two products, 
download the trial versions and kick the tires. Create a master 
image and deploy it to every brand and model that you currently 
support. Deployment technology has been around for so long now 
that the process should seem simple and intuitive. Remember, 
you'll spend more time up front setting up the master image, but 
the total time it takes for setup and deployment should be sig¬ 
nificantly less than if you were to install each computer separately 
using the wizard. v 

InstantDoc ID 141296 
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Company 

Product 

Price 

Licensing 

Supported 

Desktop OSs 

Bit- 

Locker 

Support 

Imaging Formats 

Supported 

Boot 

Environments 

Acronis 

781-782-9000 

877-669-9749 

www.acronis.com 

Acronis Snap 

Deploy 4 

Starts at $25; 
deployment 
license starts at 
$9.99 

Per machine 
or per 

deployment 

(per-deploy- 

ment license 

includes 

Universal 

Deploy 

feature) 

Windows 7/Vista/ 
XP/2000 Profes- 
sional/98/ME/NT; 
Linux 

No 

Microsoft Virtual 
Hard Disk (VHD) 

Windows 
Preinstallation 
Environment 
(WinPE); Linux 

Altrinsic 

Solutions 

660-627-5520 

www.altrinsicsolutions 

.com 

DeployExpert 
(DX) for Micro¬ 
soft System Cen¬ 
ter Configuration 
Manager (SCCM), 
Symantec 
Management 
Platform (SMP), 
or Altiris DS 

Contact 

Altrinsic 

Annual sub¬ 
scription or 
node based 
by volume 
band 

Windows XP and 
later; Windows 

Server 2003 and 
later 

Yes 

Windows 

Imaging Format 
(WIM); Symantec 
Ghost; Altiris 

Rapid Deploy 

Per SCCM, SMP, 
or DS platform 
support 

Dell KACE 

650-316-1054 

877-646-8366 

www.dell.com/kace 

Dell KACE K2000 

Deployment 

Appliance 

$4,500 

Per endpoint 

Windows 2000 
and later; Mac OS 

X 10.5 and later 

Yes 

WIM; DMG for 

Mac; K-imagefor 
VMware 

Native K2000 

Boot Environment 
for Windows 
and Mac OS 

LANDesk 

800-982-2130 

www.landesk.com 

LANDesk Man¬ 
agement Suite 
(suite includes 
deployment 
tools) 

$52 per node 
(1,000 nodes) 

Per node 

Windows; Linux; 

Mac 

Yes 

Imaging tool 
agnostic (can use 
any imaging tool, 
including the 
one provided in 
the suite) 

WinPE; 

Linux PE 

Novell 

800-529-3400 

www.novell.com 

ZENworks 

Configuration 

Management 

License $69; 
standard main¬ 
tenance $16 

Per seat or 
per device 

Windows XP and 
later; SUSE Linux 
Enterprise Desk¬ 
top (SLED) 10 and 
later; Mac OS X 

10.5 and later 

Yes 

WIM; Symantec 
Ghost; Novell 
ZENworks 

WinPE; 

Linux 

Prowess 

206-443-1117 

888-733-7569 

www.smartdeplov 

.com 

SmartDeploy 

Enterprise 

Ranges based 
on quan¬ 
tity; $30 per 
machine for 
license and 

1-year Essential 
Support (100 
machines) 

Per machine 

Windows 

Yes 

WIM 

WinPE 

Symantec 

800-721-3934 

www.symantec.com 

Deployment 

Solution 

$48 per node 
(1 node) 

Per node 

Windows XP and 
later; Mac OS X 

10.5 and later; 

Red Hat Enter¬ 
prise Linux (RHEL) 

4 and later; SUSE 
Linux Enterprise 
Server (SLES) 10 
and later 

Yes 

WIM; Symantec 
Ghost; VMware 
Virtual Machine 

Disk Format 
(VMDK) 

WinPE; 

Linux PE 


Editor's Note: Some vendors you might expect to see in this Buyer's Guide said they didn't have a product that exactly matched the 
criteria or didn't respond to our requests for information about their products. 
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Supports XP to 

Windows 7 In-Place 
Upgrade 

"Failsafe" Method in 

Case Image Update to 
Windows 7 Fails 

Preboot Execution 
Environment (PXE) 

Boot Server Included 

Supported Network 
Protocols 

Scheduled 

Deploy¬ 

ments 

Wake on LAN 
(WOL) 


No 

No 

Yes 

Multicast; unicast 

Yes 

Yes 


Yes 

Yes (per SCCM, SMP, or DS 
platform support) 

N/A (natively integrates 
with SCCM, Symantec 

PXE service, or Altiris PXE 
service) 

Multicast; unicast 

Yes 

Yes 


Uses a "capture user 
state, deploy OS, 
restore user state" 
model, which ends 
up functioning as an 
in-place upgrade 

Yes (capture user state 
model backs up user data 
in case of deployment 
failure) 

PXE for Windows included; 
netboot for Mac OS includ¬ 
ed; no Mac OS server 
needed for deployment 
(it's self-contained) 

Unicast; K-imaging uses 
a minimum update 
set model to reduce 
network traffic when 
imaging and updating 
K2000 Remote Site 
Appliances 

Is possible 
with inte¬ 
grated Dell 

KACE K1000 

Yes 


Yes 

Yes; the provisioning 
process allows for the data 
to be moved to a secure 
location prior to imaging 
or installing 

Yes 

Multicast; unicast 

Yes 

Yes (WOL and 
vProWOL) 


Yes 

Yes, with back-up 

Yes 

Multicast; unicast 

Yes 

Yes 


No 

No 

Yes (Windows Deploy¬ 
ment Services—WDS) 

Multicast; unicast 

Yes (WDS) 

Yes (WDS) 


Yes 

Yes 

Yes 

Multicast; unicast; 

HTTP 

Yes 

Yes 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


FEBRUARY 2012 


67 




■ INDUSTRY BYTES 

■ Exchange ■ Apple ■ Mobile Devices 


INSIGHTS FROM THE INDUSTRY 


Exchange 15: Insights from Exchange Server 
General Manager Kevin Allison 


At last fall's Microsoft Exchange Connec¬ 
tions conference in Las Vegas, Exchange 
General Manager Kevin Allison gave a 
keynote entitled "Moving Into the Future 
with Microsoft Exchange." Before moving 
forward, Allison took time to apologize for 
and explain the problems the Exchange 
Server team had in 2011 with updates to 
Exchange Server 2010. Personally, I think 
that was a really good move—something 
I think doesn't happen enough in our soci¬ 
ety, let alone from big corporations. 

I won't dwell on what Allison covered 
in his keynote, mostly because Tony 
Redmond already wrote about it (http:// 
tinyurl.com/d8seu6d) . However, I did have 
the chance to sit down with Allison after¬ 
ward and talk a little more in depth about 
what's going on in the Exchange develop¬ 
ment process, what we can expect from 
the product now that the on-premises 
development is combined with the cloud 
version of Exchange Online, and also a few 
hints about what we might see in the next 
full-release version of Exchange, currently 
being called Exchange 15. 

To start with, Allison highlighted how 
the development of Exchange 2007 and 
Exchange 2010 were focused on minimiz¬ 
ing cost of deployment over time and 
about giving end users more control of 
basic functions so that admins can focus 
on things such as security and compliance. 
Exchange 2010, Allison said, "was built 
around the idea of enabling the admin to 
move functionality to the end user so that 
the admin can focus on overall system effi¬ 
ciency and workflow and improvements." 

"I think you'll see the same thing rela¬ 
tive to 15," Allison went on to say, "which 
is really a switch from very back-office 
focused, very admin focused value props. 
You can give value props to the end users 


and value props to the admin. For end 
users, it's about them being able to control 
their environment, control their communi¬ 
cation, control their workspace. For admins, 
it's providing them policies to manage 
things globally to allow them to mini¬ 
mize the day-to-day work that they have 
because it's being implemented in consis¬ 
tent ways; they can deal with the compli¬ 
ance issues; they can take advantage of 
lower-cost hardware, better deployment 
methodologies. So those are the focus. I 
think you'll see that continuing with 15." 

Another focus for development comes 
from the combination of technologies in 
Microsoft Office 365 and the idea of giving 
users control of how they interact with 
their environment. Allison suggested that 
the future could include "different modali¬ 
ties based on the user's desire. So if they 
want to use Lync as their primary interface, 
they want to use SharePoint as their pri¬ 
mary interface, they want to use Outlook 
as their primary interface, or they want to 
use OneNote, they can do that. And they 
have the value of those server applications 
and their efficiencies. I think that's where 
we're at, right in the middle of that transi¬ 
tion. And I think you'll see us continue 
to expand that transition and connect in 
other aspects of that experience." 

Developing the on-premises and 
cloud-based Exchange versions in tandem 
could affect the timing for releases. One of 
the reasons businesses choose to deploy 
cloud solutions such as Office 365 is so 
that they can stay current and have the 
latest releases as quickly as possible. For 
Microsoft, this presents a challenge to the 
traditional development cycle. However, 
according to Allison, the Exchange team 
has responded well, and we could poten¬ 
tially see major release versions coming 


more quickly than in the past. "Shipping 
product in a faster cycle is really, in a lot of 
ways, a response to the market dynamics 
changing and innovation being driven 
from the industry," Allison said. 

Naturally, they're still concerned about 
overall quality of what gets released for 
Exchange. If there was any doubt, certainly 
the problems faced with updates last year 
have ignited a fire in the Exchange team to 
get things right before releasing them to 
customers. 

"It's a really strange dichotomy that 
in one sense you get a complaint that 
you're just shipping more product to get 
revenue, but in the other sense you get 
accused of not innovating," Allison said. 
Although he wasn't able at this point to 
share any specifics of what innovations 
Exchange 15 would include, I think it's 
safe to assume we can expect develop¬ 
ments that make Exchange easier to run or 
host in cloud environments. It's no secret 
Microsoft has been making a major effort 
to move as many seats to the cloud as 
possible. 

Now, time for some pure speculation— 
albeit, based on past history of Microsoft's 
releases. If the Exchange team follows the 
pattern of previous releases, I'd expect 
them to release the final version by the 
end of the year. As for the final name, for 
the past couple of releases, they've looked 
forward and applied the year after the 
actual release year. So, Exchange Server 
2007 was released at the end of 2006, and 
Exchange Server 2010 came at the end of 
2009. My suspicion is they would avoid the 
bad luck omen of taking that route if they 
release in 2012 and might just stick with 
Exchange Server 2012. 

—B. K. Winstead 

InstantDoc ID 141223 
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INDUSTRY BYTES 


How Apple's Bets on Siri and C3 Technologies 
Could Pay Big Dividends 


Over the past decade, Apple has grown 
into a company that excels at making 
smart acquisitions, taking risky bets on 
emerging technologies, and then refining 
those acquisitions and technology into 
compelling consumer products. The next 
few years will tell us if Apple's corporate 
culture (and new CEO Tim Cook) can 
preserve what was obviously Steve Jobs' 
strength: the ability to look into the future 
a bit farther than others, or to see signifi¬ 
cance in combining things that others have 
missed. To see where the puck is going, not 
where it's been. 

A recent example of this is Apple's 
acquisition of Siri, which became the 
source behind Apple's revolutionary Siri 
voice assistant that premiered in the 
iPhone 4S. Siri isn't perfect—and is effec¬ 
tively a beta product, with its own share of 
glitches and unscheduled downtime—but 
it's also the best attempt yet at workable 
voice recognition software, and it points 
to a future in which humans will be able to 
communicate with computers and other 
smart devices simply by talking to them. 

To be fair, Microsoft has publicly 
demonstrated functional tablet comput¬ 
ers, smartphones, and voice recognition 
software years in advance of the iPad, 
iPhone, and Siri. Yet Microsoft's attempts 
were often half-steps, products that 
showed promise but needed more time 
and development before becoming truly 
viable consumer products. In his collec¬ 
tion of short biographies called American 
Sketches, Walter Isaacson related how Bill 
Gates once joked that he should rename 
the group responsible for speech recogni¬ 
tion at Microsoft the "wreck a nice beach" 
group, because that's what their software 
spit out when someone said "recognize 
speech." 

In my observation, Microsoft's product 
development process is more rational 
and data-driven, whereas Apple pushed 
ahead to finally produce industry-defining 
products such as the iPhone, iPad, and Siri. 
I'm not saying Microsoft's more analytical 
approach is flawed, but it doesn't seem to 


lend itself to the creation of risky, genre¬ 
defining products. Jobs proved that some¬ 
times it pays to ignore the accountants, 
disregard the data, shelve the customer 
satisfaction scores, and take a blind leap 
into the big unknown. 

In an article for The New Yorker, Tipping 
Point author Malcolm Gladwell recently 
likened Jobs to a great tweaker of ideas 
rather than a true inventor in the same 
vein as Einstein and Edison (http://tinyurl 
.com/bsagqzj). Although I believe the 
influence of Jobs goes beyond refin¬ 
ing and perfecting the ideas of others, 
Gladwell does have a point: In all of the 
aforementioned examples, Microsoft 
stopped pushing ahead in those catego¬ 
ries, eventually deciding that the effort 
to perfect the product wasn't worth the 
return on investment. 

Or perhaps those products were 
victims of the ongoing, internecine internal 
struggles between the multitude of 
product groups at Microsoft for resources 
and corporate attention. Contrast that with 
Apple: Jobs thought ahead, poured vast 
resources into what he thought would pay 
large dividends, and the iPod, iPad, and Siri 
are all results of those decisions. Although 
some companies have trouble thinking 
past the next quarter, Apple has proven to 
be a true master of the long game. 

Part of that long game undoubtedly 
involves mapping and navigation software, 
as Apple recently gobbled up C3 Tech¬ 
nologies, a small Swedish firm that Apple 
quietly acquired last fall for at least $260 
million. Most news reports mentioned that 
C3 Technologies provides mapping soft¬ 
ware, but a closer look reveals that C3 spe¬ 
cializes in some impressive technology that 
leverages multiple satellite images from 
a variety of angles to create stunningly 
realistic 3D maps. Here's how the technol¬ 
ogy was described from a C3 Technologies 
press release in early 2011: 

C3 Unlimited Oblique offers 

10-centimeter accuracy in every 

position, making it possible to 


accurately overlay roads, addresses, 
points of interest, company 
logos or advertisements... unlike 
most other commercial or even 
government-targeted oblique 
solutions on the market, which 
capture and process images of a 
geographic area from just four dif¬ 
ferent views, all of the maps in C3's 
new line offer 24 different oblique 
views, which means more crucial 
data is available for simulation, 
planning and precise measurement 
of distances, heights, perimeters, 
lengths, and widths. 

As is the case with tablet computers and 
voice recognition, I think Apple is playing 
the long game with mapping software 
and will leverage all of the company's 
recent acquisitions to push the mapping 
category in some way. Imagine a true 3D 
mapping service that can not only direct 
you to a street address but perhaps also 
route you to the correct office suite on 
the 15th floor. Or Siri-powered turn-by¬ 
turn navigation that doesn't just show 
you stills of what your destination looks 
like but provides you with a streaming, 

3D video road map as you approach your 
destination. Here are all the mapping- 
related acquisitions by Apple in the past 
24 months: 

• PlaceBase (mapping software) 

• Poly9 (mapping software) 

• C3 Technologies (3D environment 
mapping software) 

Placebase specializes in presenting 
map-related data in new ways, whereas 
Poly9 has developed cross-browser 3D 
globe technology that is used by several 
others sites, such as Skype. Pooling the 
resources of all three of those companies 
seems like just the sort of thing that 
Apple would need to do to mount a 
challenge to the now ubiquitous Google 
mapping services. 

—Jeff James 
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INDUSTRY BYTES 


The Value of RIM's October 2011 Service Outage 


There's one good thing that came out 
of RIM's service outage in October of 
last year. According to a report in The 
National (see http://tinyurl.com/6fyhz7n) , 
traffic accident deaths that are related to 
people who insist on reading email on 


their BlackBerry devices decreased while 
the service was unavailable. According 
to the police, accidents were reduced by 
40 percent and the fact that BlackBerry 
services were down definitely contributed 
to this statistic. 
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It's such a relief to learn that a failure 
in technology has had such a marvelous 
side effect. Or maybe not. Perhaps the 
true social advantage delivered through 
BlackBerry and other mobile devices is the 
ability for individuals to remove them¬ 
selves from the gene pool through horrible 
accidents that occur when they read email. 

Seriously, it's a sad indicator of modern 
life that email has become so important that 
the arrival of a new message forces people 
to take their eyes off the road to read and 
then compose a response to incoming mes¬ 
sages. I'm sure that it's extremely upsetting 
for families to hear that someone has driven 
into a concrete lamp-post or another fixed 
object simply because they had to read 
their email. And this is even more upsetting 
if the driver killed someone else while his or 
her eyes were fixed on a screen. 

Hopefully RIM's outage last fall helped 
some people understand that they can 
survive without frequent updates, that life 
continues without email, and that a lot of 
what arrives into Inboxes is banal rubbish 
that fills servers, networks, and disks. We're 
all guilty of contributing to the dross that 
travels through email servers today. 

Despite what senders and recipi¬ 
ents say, very few messages are actually 
important enough to warrant immediate 
attention. Consider the average batch that 
arrives daily. It probably contains some 
worthy information, but it’s not something 
that you'd want to crash your car over. 

The problem with email is that it's 
become a bit like a drug for the modern office 
worker that we're soon introduced to after we 
take up a job. Mobile devices are the PEZ dis¬ 
pensers of the email world. The same is true 
of Facebook and Twitter updates. And when 
you step back and take stock, it's all so sad. 

Take the word of a recovering addict 
and enjoy the peace and tranquility of 
turning your iPhones, BlackBerries, and 
Windows Mobile phones off from time to 
time, especially while driving. That way you 
won't run the chance of becoming a statistic 
that the police comment upon the next 
time that we have a service outage! ^ 
—Tony Redmond 
InstantDoc ID 140913 
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Ctrl+Alt+Del 

by Jason Bovberg 


"Send your funny screenshots, oddball product 
news, and hilarious end-user stories to rumors@ 
windowsitpro.com. If we use your submission, 
you'll receive a Windows IT Pro Rubik's Cube." 






ntvdm.eKe - Syste 


NTVDM encountered a hard error. 


We enjoyed the announcement of Veyl Products' ePillow, a 
comfortable pillow-based tablet PC accessory that provides you 
with a more enjoyable and ergonomic user experience. Con¬ 
structed of soft polyester with a suede feel and double-stitched 
for durability, the ePillow is available in twill cotton and synthetic 
leather. A "ledge" surrounds the outside to hold a tablet PC or iPad 
in place either horizontally or vertically. The ePillow will accom¬ 
modate an Acer Iconia A500, Android ePad, Android Toughboolc, 
Apple iPad/iPad 2, HP Touchpad, HTC Flyer Android, LG Iconia A 
500, LG Optimus, Motorola Xoom, Samsung Galaxy 10, and various 
other tablet PCs on the market today (as well as hard-copy books). 
As the groundhog prepares to behold his shadow, it's nice to know the 
ePillow is available to reduce neck aches, muscle fatigue, and eye strain 
while you enjoy your devices. 



Figure 1: I'm accustomed to softer errors 



Figure 2: Urn, yes? No? Maybe? 


Error Deleting File or Folder 


Cannot delete Sasha - Involver: It is being used by another person or program, 
Close any programs that might be using the file and try again, 

OK 


USER MOMENT OF 
THE MONTH 

I was working in IT for a medical facility five years ago, 
and one day an older employee called to tell me that 
something was wrong with his password. It wasn't work¬ 
ing. I gave the usual advice of avoiding Caps Lock and 
ensuring that Num Lock was enabled for the right side of 
the keyboard. No luck. Eventually, he said, "When I type 
the password, it just appears as a bunch of asterisks!" I 
responded, "Actually, those asterisks are there to protect 
your password. If someone is standing behind you, they 
won't be able to read your password." The user thought 
for a moment and said, "But they show up even when 
there's no one standing behind me!" 

—Dick 


Figure 3: But I like Sasha! 
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